page contents 2011 February Archive at

By paddloPayday loans

Archive for February, 2011

Are Companies at Risk for Astronomical Fines for Future EU Data Protection Violations?

February 25th, 2011 by Monique Altheim

At a recent conference in Frankfurt, organized by the Internet Society, Peter Hustinx, the European Data Protection Supervisor, suggested sanctioning violations of the EU data protection laws with the same astronomical fines as violations of competition laws are sanctioned.

Henriette “Jetty” Tielemans, partner at the Brussels office of Covington & Burling LLP, reports as follows:

“The trade press regularly reports on multi-million euro fines for cartels or abuses of dominant positions by companies under the competition rules of the European Union.  These figures are far away from the fines that currently can be levied for data protection violations.  Observers of the competition law scene will agree that the main reason that companies operating in the EU pay attention to competition law is the astronomic fines that can – and are –  levied.

Observers of the privacy scene also agree that one of the reasons that privacy is sometimes still not taken as seriously as it should by companies, is the relative lack of enforcement, and the low fines in case of enforcement.  With shrinking legal budgets for compliance and training, companies often devote more resources to areas where fines are steep such as competition law.

Hustinx’s timing is not a coincidence. The European Union is reviewing the current 1995 Data Protection Directive and a draft proposal is expected this summer.  Traditionally sanctions for violations of data protection laws have been left to the twenty-seven EU Member States (and they vary widely)  but perhaps this will change.  It remains to be seen how Hustinx’s suggestion will be received by the European Commission’s Data Protection Unit which is in charge of the revision of the 1995 Directive, subject to control by the European Parliament and the Council of Ministers.  But the office of the European Data Protection Supervisor, charged with monitoring compliance by the European institutions of data protection rules within their own ranks and advising the European institutions on data protection issues, is influential and highly respected in the privacy community and this proposal will therefore not go by unnoticed.  If accepted, it would revolutionize the data protection landscape in Europe.”

At present, compliance with the national data protection laws within the EU member states is less than satisfactory.

For example, as we reported recently on this website, 82% of French enterprises do not abide by the French Data Protection Act of 2004 (La Loi Informatique & Libertés).

Peter Hustinx’s suggestion should concern not only global companies with a physical presence in one or more EU member states, but also online businesses, websites and mobile applications that target the EU market, as we explained in this post on applicable law.

For our full overview of Peter Hustinx’s opinion in response to  the Commission’s Communication of November 4, 2010  regarding the Review of the Data Protection Legal Framework , see here.

Tags: , , , , , . European Union Data Protection,Online Privacy Closed

Twitter Weekly Updates for EUdiscovery

February 25th, 2011 by Monique Altheim
Tags: . Weekly Twitter Updates Closed

The RFID Privacy and Data Protection Impact Assessment Framework in the EU: The Article 29 Working Party and the FTC are in No Rush

February 19th, 2011 by Monique Altheim

On February 11, the Article 29 Working Party adopted an opinion on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment (PIA) Framework for RFID applications. (ARTICLE 29 DATA PROTECTION WORKING PARTY 00327/11/EN WP 180 Opinion 9/2011 on the revised Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications)

The aricle 29 WP endorses the proposal developed by industry associations, experts, academics, and individual companies from across Europe.

One of the main privacy concerns related to RFID technology arises from uses of RFID technology which entail individual tracking and obtaining access to personal data. While an RFID operator may not have such a goal in mind when deploying an RFID application, it is important to consider the risk that a third party may use tags for such unintended purposes. The revised framework now clearly requires RFID operators to evaluate the risks that may arise when tags may be used outside the operational perimeter of an RFID application and/or are carried by persons.

The European Commission published a recommendation on the implementation of privacy and data protection principles in applications supported by radio-frequency identification on May 12th, 2009.( the “RFID Recommendation”).

One of the recommendations reads:

“Article 7: RFID use in Retail

Article 7.3: (a) Where a RFID application processes personal data or the privacy impact assessment…shows significant likelihood of personal data being generated from the use of the application, the retailer has to follow the criteria to make the processing legitimate as laid down in directive 95/46 and to deactivate the RFID tag at the point of sale unless the consumer chooses to keep the tag operational. (b) Where a RFID application does not involve processing of personal data and where the privacy impact assessment has shown negligible risk of personal data being generated through the application, the retailer must provide an easily accessible facility to deactivate or remove the tag.”

In the U.S. Federal Trade Commission Comments on the the European Commission’s recommendation of May 2009, the FTC stated, in response to recommendation  Article 7.3: (a)

” …Similarly, with respect to RFID, we caution against mandating a specific technological approach, such as mandatory deactivation of tags, before fully understanding the range of benefits the technology might provide to consumers, as well as the range of protective measures that might be available to consumers in the future.”

(The U.S. Federal Trade Commission’s Bureau of Consumer Protection is in charge of protecting consumer rights in the US.)

This is the recent Article 29 WP’s opinion on the subject matter of RFID use in retail:

“This concern (about individual tracking and access to personal data) has received particular attention in the retail sector, where it is feared that tagged items bought by individuals could be misused by retailers or third parties for tracking or profiling purposes. The European Commission addressed this concern in the Recommendation by establishing the principle that tags must be deactivated at the point of sale unless the customers give their informed consent to keep tags operational. The same Recommendation allows an exception to this deactivation principle if the PIA concludes that keeping tags operational after the point of sale does not represent a likely threat to privacy or the protection of personal data. The Working Party observes that a risk management approach, as suggested by the Framework, is an essential tool for the RFID Operator to assess the risks of taking the responsibility to keep tags activated after the point of sale.”

As shown with this example, a key point is that the Revised Framework is based on a risk management approach, which is an essential component of any Privacy and Data Protection Impact Assessment Framework.

The Article 29 WP however would like see implementaion of the Commission’s recommendation no earlier than three years from now.( 2014):

“The European Commission is expected to provide a report on the implementation of the Recommendation, its effectiveness and its impact on operators and consumers, with regards in particular to measures concerning the retail sector. This report is set to be produced 3 years after the Recommendation was published, that is by May 2012. However, considering that the Framework may take 6 months to fully take effect, supplementary time would be beneficial for all stakeholders before such an evaluation is conducted. Therefore, the Working Party would like to suggest to the European Commission to either postpone or supplement the proposed report at a later date set in 3 years from the publication of this opinion.”

In the above mentioned comments on the the European Commission’s recommendation of May 2009, the FTC remarked:

“The FTC staff supports the EC’s risk- based approach to addressing potential consumer privacy and data security issues related to the use of RFID technology. The FTC staff also agrees with the EC that there is a need to raise consumer awareness about RFID technology, in order to enhance consumer trust and to give consumers the tools to protect themselves from the risk of misuse of their information. Given the current stage of deployment of consumer-facing RFID applications, however, the FTC believes that mandating or encouraging specific technological tools for protecting consumer privacy is premature.” (bold added)

Premature?

Implementation no earlier than 2014?

Last summer, Wal-Mart created quite a controversy when it started to use RFID tags to track underwear and jeans and the George Miller III Head Start Program in Contra Costa County, California, created a buzz when they started to make pre-schoolers wear jerseys, with RFID chips inside that track them through the day.

But RFID (Radio frequency identification) technology is far from new. It has been used for many years to keep track of cattle, prisoners, goods, and  pets.

RFID technology is already widely adopted, world wide and in many industries, and is also found in enhanced driver’s licenses, credit and debit cards, passports and government IDs, TWIC Cards, Employer ID/Proximity Cards, US EZpasses, London Oyster cards, just to name a few applications.

The risk of tracking, profiling, fraud, identity theft is here and it is real.  RFID readers are used by convenience stores, pharmacies, restaurants, fast food markets, bars, and many other places of business to read the RFID chips.

However, these same readers can be freely purchased and attached to a laptop with very little technical knowledge required. There are even cell phones with built in card readers that can steal your information. By simply walking past you, anyone  equipped with such a device can acquire your credit card number and expiration date. There is even a term for it: electronic pick pocketing.

Here’s a not so recent video by Boingboingtv’: “How to hack RFID-enabled Credit Cards for $8 (BBtv)”

Human RFID Implants are already used for access to car, home, office.

Human RFID implants with personal health and financial information are being used and promoted:

Premature? Seriously?

Tags: , , , , , , , . European Union Data Protection,Internet of Things 1 Comment

Twitter Weekly Updates for EUdiscovery

February 18th, 2011 by Monique Altheim
Tags: . Weekly Twitter Updates Closed

Twitter Weekly Updates for EUdiscovery

February 11th, 2011 by Monique Altheim
Tags: . Weekly Twitter Updates Closed

Facebook and the First Amendment: Facebook decides who gets to view your posts and whose post you get to view

February 11th, 2011 by Monique Altheim

In a bold new move, Facebook has taken on the role of content censor on its own platform, and has done so in its notoriously sneaky style.

It is by chance that I learned about the change in my Facebook settings, thanks to the fact that I am lucky enough to be connected to some of the thought leaders in the Privacy field, such as Rebecca Herold, also known as @PrivacyProf. She posted a note on her wall today, which I will reproduce below to give the authors the credit they deserve.


NEW FACEBOOK SETTINGS RESTRICTING YOUR VIEWING PLEASURE!

by Tracie Koziura on Thursday, February 10, 2011 at 8:53am

Info shared by Abby Smith – thanks Abby!)

Have you noticed that you are only seeing updates in your newsfeed from the same people lately? Have you also noticed that when you post things like status messages, photos and links, the same circle of people are commenting and everyone else seems to be ignoring you?

Don’t worry, everyone still loves you and nobody has intentionally blocked you. The problem is that a large chunk of your friend/fan list can’t see anything you post because the “New Facebook” has a newsfeed setting that, by default, is automatically set to ONLY SHOW POSTS FROM PEOPLE WHO YOU’VE RECENTLY INTERACTED WITH OR INTERACTED WITH THE MOST (which would be limited to the couple of weeks just before people started switching to the new profile).

So in other words, for both business and personal pages, unless your friends/fans commented on one of your posts within those few weeks or vice versa – you are now invisible to them and they are invisible to you!

HERE’S THE FIX:

Scroll down to the bottom of the Newsfeed on your HOME page and click on “Edit Options”. In the popup, click on the dropdown menu next to ‘Show posts from:’and select “All Of Your Friends and Pages” and then click Save.

Note: This is the fix for personal pages but I am unsure of whether or not the business pages are set up the same way.

Simply posting an update about it won’t do any good because lots of your friends/fans already can’t see your posts by default. You’ll either have to send out a message to everyone on your list (which I’m not even sure business pages can do and is a rather tedious method) or post an event explaining the situation like this one and invite your entire fan base and/or friend list. You can also tweet about it hoping that most of your fellow facebookers are also on twitter.

PLEASE FEEL FREE TO SHARE THIS NOTE WITH AS MANY PEOPLE AS YOU CAN SO WE CAN TRY AND GET EVERYONE INFORMED AS SOON AS POSSIBLE. Anyone who isn’t seeing your posts right now will never see them until they have changed their settings as explained above.


Here is a screenshot I took of my Facebook Home page to illustrate Tracie’s excellent explanation:

As you can see, my default setting was set by Facebook to show posts from”Friends and pages you interact with most”. Of course, I changed it immediately to show posts from “All your friends and pages”. None of my Facebook friends were aware of this default setting, and most of them are professionals, very well informed in social media matters.

After changing the default setting, I learned that one of my friends’ daughters was Bat-mitzvahd, through a post that was hidden from me before I changed that setting, because this friend very rarely posts on Facebook. Another Facebook friend learned, only after changing her setting, that her cousin had a new baby.

This latest move by Facebook seriously worries me:

In my opinion, it smacks of censorship as practiced by the worst kind of despots. By introducing this kind of default setting and , on top of that, by not notifying users of this change, Facebook is basically deciding for its 600 million users what they can and cannot see on its platform.

What is the motivation behind this latest change? More profit for Facebook, no doubt, even though I fail to grasp the exact logic behind it.

I have understood by now, that as much as I want to believe, (or maybe  Facebook wants me to believe) that I am the one using Facebook for my benefit, it is in reality Facebook that is using me for its benefit.

Facebook’s tactics of taking away our privacy and our choices, little by little, reminds me of the tactics used by the most dangerous tyrants in human history.

This excellent German video about the dangers of a sureveillance state, illustrates those tactics, as applied by governments.

It explains the traditional metaphor of the frog: when frogs are put in a tub of hot water, they instinctively jump out, because it hurts too much (except on Glenn Beck’s show, where they die instantly). Frogs that are put in a tub of cold water stay, even after the temperature slowly increases until they cook alive. So it is with people. When surveillance is increased slowly, people don’t revolt. They just adapt, and refrain from showing and exptressing differing attitudes than the mainstream, knowing they are being observed and fearing of coming across as different.

Next thing you know, you have a society where everyone behaves uniformly, where differences are not tolerated anymore and where democracy has disappered.

You don’t need to know German to understand this clip:

Granted, Facebook is not to be compared to a “surveillance state”, but the tactics it uses to get its users slowly but surely “used” to its practices, certainly sound very similar to the tactics used by a surveillance state to achieve its objective.

I wonder what machiavellistic justification Facebook will come up with to explain this latest move. In this case, it cannot use the old ruse that it wants to provide its users a “better user experience”. For someone wishing to use a social networking site to do social networking, the move of restricting the amount of people with whom one can network socially can not seriously be thought of as providing a “better user experience.”

Tags: , , , , , . Filter Bubble,Online Privacy 10 Comments

Privacy and Data Protection in the EU: The grass is not always greener on the other side of the pond

February 4th, 2011 by Monique Altheim

According to the annual report of the French Association of Data Protection Officers (AFCDP), published on 28 January 2011, 82% of French enterprises do not abide by the French Data Protection Act of 2004 (La Loi Informatique & Libertés).

The AFCDP is a professional organisation that represents French privacy professionals.  The AFCDP works to develop privacy best practices and to build relationships with the French National Data Protection Commission (CNIL).

Following French Data Protection Act, an individual may request that an entity that holds personal data about him, share that personal data with him. After a request is made, the entity has two months to provide full information to the person who made the request, free of charge. In certain circumstances, the individual may then request that the personal information be deleted or that it be brought up to date.

The AFCDP published a  second “Access Right Index”. It is intended to help French entities, both private and governmental, prepare themselves to respond to these information requests and to help educate individuals about their rights. The Index provides some insight into the manner in which entities are currently complying with the law.

To complete the study, access to personal data requests were sent to a panel of more than 220 French entities. In the Index, the AFCDP indicates which sectors were the best and worst in terms of compliance, and also provides anonymous, real examples of wrongdoing and guidance as to best practices.

Here are some results of that study:

Only 18% of the polled organisations responded in a legally satisfactory manner to information access requests.

31% did not respond within the legal time frame. ( two months).

51% responded within the legal time frame, but not in a legally satisfactory manner: Some responded as follows: “The requested information cannot be communicated because it is the property of the company.”

The French Data Protection Act of 2004 provided, among others, the creation of a Data Protection Correspondent role in public and private organizations, the Correspondants Informatique & Libertés (CIL) . The appointment of CILs is not obligatory, but it facilitates the procedures for processing of personal data for the companies that do appoint a CIL.

Even among the companies that have opted to appoint a CIL, the compliance numbers are far from satisfactory: only 40% of the polled companies with CILs have responded to access requests in a law abiding manner. For example, some of these companies sent a gift to the requesting party, instead of the data. Others sent an announcement that the data were deleted, followed by an announcement of miraculous recovery plus a demand for a significant “recovery fee” to access the information.

The CNIL is, like so many of its counter parts in other EU member states, currently under significant pressure to cut operating expenses.

If it does not enforce the Data Protection Act, what use is it?

This very useful survey by the AFCDP illustrates how the passing of data protection acts alone is totally useless, unless these laws actually get enforced.

And if legislation does not even guarantee significant compliance, what kind of compliance will “self-regulation” achieve?

Congress, take note!

Tags: , , , , , . European Union Data Protection,Online Privacy Closed

Twitter Weekly Updates for EUdiscovery

February 4th, 2011 by Monique Altheim
Tags: . Weekly Twitter Updates Closed