The Centre for Information Policy Leadership (the “Centre”) this week issued “Data Protection Law and the Ethical Use of Analytics,” authored for the Centre by Paul Schwartz, Professor of Law, Berkeley Law School, University of California. Marty Abrams shared this paper on November 30, 2010, at the European Data Protection and Privacy Conference in Brussels and plans to present the paper on December 1, 2010, at the Organization for Economic Cooperation and Development.
On November 25, 2010, the Council of Europe’s Committee of Ministers adopted a recommendation (the “Recommendation”) on the protection of individuals with regard to the automatic processing of personal data in the context of profiling. View the press release.
The Recommendation is designed to set up safeguards for profiling activities by applying the principles established in Convention 108 to the challenges raised by profiling and by defining new principles. It defines profiling as “an automatic data processing technique that consists of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.” The term ‘profile’ refers to a set of data characterizing a group of individuals which is intended to be applied to an individual. Interestingly, Members States may decide to exclude the public sector under certain conditions.
Adam Kardash from Heenan Blaikie LLP in Canada reports that Jennifer Stoddart has been nominated for reappointment as Privacy Commissioner of Canada for a three-year term. The nomination will be tabled in the House of Commons for consideration and is widely expected to be accepted.
Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, said, “Commissioner Stoddart has been a key leader in bringing data protection into the 21st century.”
Ms. Stoddart has served as Privacy Commissioner since December 2003.
For further information on the nomination, view the Prime Minister of Canada’s news release.
In the first use of his powers to impose monetary penalties, the UK Information Commissioner has announced fines for two organizations with respect to serious breaches of the UK Data Protection Act.
- Hertfordshire County Council must pay a fine of £100,000 after staff accidentally faxed highly sensitive information to the wrong recipients, on two separate occasions.
- A4e Limited, an employment services company, must pay £60,000 following the theft of an unencrypted laptop from an employee’s home, putting the data of 24,000 people at risk.
The Transportation Security Administration has put in place new screening procedures in time for the busy Thanksgiving travel season. The new procedures have been broadly criticized by aviation security experts and privacy advocates. One of those experts, Professor Fred H. Cate, Director of the Center for Applied Cybersecurity Research and Professor of Law at Indiana University, has published an open letter to Senator Jay Rockefeller (D-WV) and Senator Kay Bailey Hutchison (R-Tex), urging oversight and reform. The letter details the ineffectiveness of the new procedures and criticizes them for violating basic notions of privacy. Professor Cate is a Senior Policy Advisor at the Centre for Information Policy Leadership at Hunton & Williams LLP.
On November 23, 2010, the data protection authority of the German federal state of Hamburg issued a €200,000 fine against financial institution Hamburger Sparkasse AG (“Haspa”) for illegally allowing its customer service representatives access to customers’ bank data, and for profiling its customers. The bank cooperated with the DPA and has discontinued the illegal practices.
On November 19, 2010, the UK Information Commissioner’s Office (the “ICO”) announced that Google has signed an undertaking committing it to improve its data processing practices. The undertaking follows an ICO investigation into the collection of payload data by Google Street View cars in the UK. Google’s Senior Vice President, Alan Eustace, signed the undertaking on behalf of Google, Inc.
On November 17, 2010, Representative John Adler (D-NJ) introduced the Red Flag Program Clarification Act of 2010 (H.R. 6420) to “amend the Fair Credit Reporting Act with respect to the applicability of identity theft guidelines to creditors.” The bipartisan bill seeks to limit the scope of the FTC’s Identity Theft Red Flags Rule, which requires “creditors” and “financial institutions” that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect and respond to patterns, practices or specific activities that indicate possible identity theft.
On November 15, 2010, the Centre for Information Policy Leadership filed comments with the Department of Commerce in response to the Department’s Notice of Inquiry (“NOI”) on the Global Free Flow of Information on the Internet. The NOI was issued pursuant to an examination by the Department’s Internet Policy Task Force of issues related to restrictions on information flows on the Internet. The NOI poses wide-ranging questions related to why such restrictions were instituted; the impact restrictions may have on innovation, economic development, global trade and investment; and how best to deal with any negative effects. In the NOI, the Department acknowledges the benefits that businesses, emerging entrepreneurs and consumers derive from the ability to transmit information quickly and efficiently both domestically and internationally. It also recognizes the integral role the free flow of information plays in promoting economic growth and democratic values essential to free markets and free societies. The Department also articulated goals such as helping industry and other stakeholders operate in diverse Internet environments, and identifying policies that will advance economic growth and create job opportunities for Americans.
On November 10, 2010, the American Bar Association’s Section of Antitrust Law’s International Committee and Corporate Counseling Committee hosted a webinar on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference?”. A panel of senior officials and private sector experts provided insights on emerging cross-border data privacy and security issues. Hunton & Williams partner Lisa Sotto was tapped to moderate an outstanding panel which included Billy Hawkes, Commissioner, Office of the Data Protection Commissioner, Ireland; Jennifer Stoddart, Commissioner, Office of the Privacy Commissioner, Canada; Hugh Stevenson, Deputy Director, Office of International Affairs, Federal Trade Commission; and Bojana Bellamy, Director of Data Privacy, Accenture (UK) Limited. The high-profile speakers explored various privacy issues that have raised regulatory concerns around the world, including issues on behavioral advertising, cloud computing and data breaches.
Taken from a portion of the webinar, each panelist addressed their thoughts on the major issues that will dramatically change the privacy landscape over the next year. In addition, they further discussed the revisions proposed in the EU Directive on Privacy and Electronic Communications.