Implications of the European Commission’s proposal for a general data protection regulation for business, Final report to the Information Commissioner’s Office. May 14, 2013

On The "Right to Be Forgotten": Challenges and Suggested Changes to the Data Protection Regulation

International privacy organisations: Don't let corporations strip citizens of their right to privacy

PCWorld: "Six European data protection authorities will conduct formal investigations of Google's privacy policy after the company repeatedly rejected their requests that it reverse changes it made to the policy last March. Data protection authorities in France, Germany, Italy, the Netherlands, Spain, and the U.K. have resolved to conduct investigations or inspections of Google's privacy policy, following an initial investigation by the French data protection authority. The precise nature of the actions will depend on how the European Data Protection Directive has been transposed in their respective national laws."

EPIC: "Data protection agencies in six European countries have announced enforcement actions against Google. The agencies acted after Google ignored recommendations to comply with European data protection law. "It is now up to each national data protection authority to carry out further investigations according to the provisions of its national law transposing European legislation," the French data protection authority said. The enforcement action follows from Google's March 2012 decision to combine user data across 60 Internet services to create detailed profiles on Internet users. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google that would have prohibited Google's changes in business practices. Google's revised privacy policies also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order."

Proposed new EU General Data Protection Regulation: Article-by-article analysis paper, V1.0
12 February 2013. UK Information Commission Office (ICO).

EPIC: "The French Data Protection Commissioner, acting on behalf of the European Union, announced it will take action against Google after the company failed to reply to questions about its handling of user information. In October 2012, officials representing 24 countries in Europe sent a letter requiring Google to comply with European data protection laws, and give users greater control over their personal information. The action followed an investigation triggered by the collapse of the Google privacy policy in March 2012, which allowed the company to combine user data across 60 Internet services. Last year, EPIC sued the Federal Trade Commission to force the FTC to enforce the terms of a settlement with Google. Google’s policy consolidation also prompted objections from state attorneys general, members of Congress, and IT managers in the government and private sectors. For more information, see EPIC: Google Buzz and EPIC: Enforcement of Google Consent Order."

The Contribution of EU Directives to the Objective of Consumer Protection. Annalies Azzopardi, University of Malta, October 2012. ELSA Malta Law Review, Vol. 2, 2012, Via SSRN.

December 17, 2012: "the European Data Protection Supervisor (EDPS) published his Report on the Status of Data Protection Officers (DPOs) as part of his ongoing task to monitor the compliance of EU institutions and bodies with Article 24 of the European Data Protection Regulation, which obliges the appointment of DPOs...Article 24 of the Data Protection Regulation (EC) No 45/2001 provides that each EU institution/body has to appoint at least one Data Protection Officer (DPO) to ensure in an independent manner its internal application. Article 24 sets out the conditions of appointment of the DPOs, their status and the general conditions governing the performance of their duties. Personal data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data."

"According to the Justice Committee, the European Union Data Protection proposals "need to go back to the drawing board".

• Justice Committee - Third Report - The Committee's opinion on the European Union Data Protection framework proposals
  
• Inquiry: The Committee's opinion on the EU Data Protection framework proposals
  
• Justice Committee publications
  
• EU proposals to update data protection laws are too prescriptive, according to a new Report by the Justice Select Committee."

Statement: 27 July 2012 - "The Information Commissioner’s Office (ICO) has issued the following statement today in response to information received from Google about the retention of payload data collected by its Street View vehicles. An ICO spokesperson said: “Earlier today Google contacted the ICO to confirm that it still had in its possession some of the payload data collected by its Street View vehicles prior to May 2010. This data was supposed to have been deleted in December 2010. The fact that some of this information still exists appears to breach the undertaking to the ICO signed by Google in November 2010. “In their letter to the ICO today, Google indicated that they wanted to delete the remaining data and asked for the ICO’s instructions on how to proceed. Our response, which has already been issued, makes clear that Google must supply the data to the ICO immediately, so that we can subject it to forensic analysis before deciding on the necessary course of action. "We are also in touch with other data protection authorities in the EU and elsewhere through the Article 29 Working Party and the GPEN network to coordinate the response to this development. “The ICO is clear that this information should never have been collected in the first place and the company’s failure to secure its deletion as promised is cause for concern.”

• Click here to read the letter sent to the ICO by Google.
  
• Click here to read the ICO's response to Google.

"The Article 29 Working Party, representing the privacy agencies of European Union countries, has released a new Opinion in which it states that cloud service providers will be subject to the EU Data Protection Directive. The expert group also advises users of cloud-based services to conduct a comprehensive and thorough risk analysis of cloud services. In 2009, EPIC urged the US Federal Trade Commission to develop privacy standards for Cloud Computing services. See EPIC - Cloud Computing."

U.S.-EU Cooperation Against Terrorism, Kristin Archick, Specialist in European Affairs, May 21, 2012

News release, Joaquín Almunia Vice President of the European Commission responsible for Competition Policy: "In November 2010, the Commission launched an antitrust investigation into allegations that Google had abused a dominant market position. This followed a number of complaints. We have looked at those complaints and at others we received since the opening. And we have conducted a large-scale market investigation...Our investigation has led us to identify four concerns where Google business practices may be considered as abuses of dominance...[snipped]

• first, in its general search results on the web, Google displays links to its own vertical search services.
  
• Our second concern relates to the way Google copies content from competing vertical search services and uses it in its own offerings. Google may be copying original material from the websites of its competitors such as user reviews and using that material on its own sites without their prior authorisation.
  
• Our third concern relates to agreements between Google and partners on the websites of which Google delivers search advertisements.
  
• Our fourth concern relates to restrictions that Google puts to the portability of online search advertising campaigns from its platform AdWords to the platforms of competitors."

CDT Analysis of the European Commission's Proposed Data Protection Regulation

• CDT strongly supports the use of the Regulation instrument to
  harmonize data protection across the common market and the renewed
  emphasis on stronger enforcement to provide data subjects with
  consistent, predictable privacy rights.
  
• CDT proposes a clarification that the Regulationʼs requirement of parental consent only applies when a controller has actual knowledge that it is processing a child's data, as opposed to a presumption of knowledge that it is likely processing data concerning a child. Otherwise, all controllers would have to adopt invasive, expensive, and ineffective controls to determine the identity of all data subjects in violation of Article 10 of the Regulation.
  
• CDT urges significant revision to the Articles providing for a right to be forgotten and for stringent rules around profiling, as these Articles are unduly broad and unworkable in their current iterations.
  
• CDT supports a streamlined process for the development of industry specific Codes of Conduct and urges the Commission to take an active role in convening stakeholders around evolving privacy norms.

EFF: "This January 28 marks International Privacy Day. Different countries around the world are celebrating this day with their own events. This year, we are honoring the day by calling attention to recent international privacy threats and interviewing data protection authorities, government officials, and activists to gain insight into various aspects of privacy rights and related legislation in their own respective countries. As part of International Privacy Day, the EFF asked data protection authorities, politicians, and activists about privacy related issues and concerns for 2012. In addition to the individuals highlighted in our previous posts, EFF heard back from the Council of Europe, the European Data Protection Supervisor (EDPS), and activists from Canada, France and Spain. In various ways, all of the responses focused on government surveillance or data protection laws. For the Council of Europe and European Data Protection Supervisor, the focus was on data protection agreements, while the activists were mindful of the ever-increasing power of government authorities to surveil their citizens."

News release: The European Commission has today [January 24, 2012] a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe."

News release: "The Office of the Data Protection Commissioner, Ireland 21 December 2011 published the outcome of its audit of Facebook Ireland(FB-I) which was conducted over the last three months including on-site in Facebook Ireland’s Headquarters in Dublin. The report is available in 2 parts: Report of the Audit, including recommendations and the Facebook Technical Analysis Report...It is a comprehensive assessment of Facebook Ireland’s compliance with Irish Data Protection law and by extension EU law in this area...Deputy Commissioner, Gary Davis who led the conduct of the Audit stated that “this Audit was the most comprehensive and detailed ever undertaken by our Office. We set ourselves a very ambitious target for completion and publication as both this Office and Facebook, felt it was important that the outcome be published and opened to public comment and scrutiny...Facebook is constantly evolving and adapting in response to user needs and technical developments. Like any successful technology platform, the service needs to innovate by introducing new products and features in order to adapt to changing circumstances. Indeed the almost Darwinian nature of the site means that there will constantly be an absolute need to have in place robust mechanisms to keep pace with the innovation that is the source of the site’s success."

Privacy and Security in the Implementation of Health Information Technology (Electronic Health Records): U.S. and EU Compared, B.U. J. SCI. & TECH. L., Vol. 17, Winter 2011.

EUROPA press release: "Intellectual property rights (IPR), which comprise patents, trademarks, designs and geographical indications, as well as copyright (authors' rights) and rights related to copyright (for performers, producers and broadcasters), have been around for centuries. Often, without our even realising, they affect our daily lives: they protect the technology we use (cars, mobile phones, trains), the food we eat and the music we listen to or the films we watch. But in the last few years, technological change and, in particular, the growing importance of online activities, have completely changed the world in which IPR operate. The existing mix of European and national rules are no longer adapted and need to be modernised. That is why the Commission has adopted today a comprehensive strategy to revamp the legal framework in which IPR operate. Our objective is to enable inventors, creators, users and consumers to adapt to the new circumstances and to enhance new business opportunities. The new rules will strike the right balance between promoting creation and innovation, in part by ensuring reward and investment for creators and, on the other hand, promoting the widest possible access to goods and services protected by IPR. Getting this balance right will make a real difference to businesses (from the individual artist working alone to the big pharmaceutical companies) by encouraging investment in innovation. This will benefit the EU's growth and competitiveness which is delivered through the single market. Consumers will benefit from wider and easier access to information and cultural content, for example online music. The strategy deals with many issues to ensure IPR are covered comprehensively - from the patent a business needs to protect an invention to tackling the misuse of such inventions via a proposal also adopted today which will strengthen action on counterfeiting and piracy. Among the first deliverables of this IPR overall strategy are today's proposals for an easier licensing system for so-called "orphan works" that will allow many cultural works to be accessible online, and for a new regulation to reinforce customs actions in fighting trade of IPR infringing goods."

EPIC: "A draft agreement between the United States and the European Union will allow the U.S. Department of Homeland Security to store passenger data for up to 15 years. The passenger data includes names, addresses, phone numbers, and credit card information, and even ethnic origin, political opinions, and details of health or sex life. The 15 year time period in the proposed agreement is three times that allowed under Europe's existing Passenger Name Record regime. See also EPIC: EU-US Airline Passenger Data Disclosure."

"On 15 April 2011, the European Data Protection Supervisor (EDPS) adopted an opinion on the Commission's proposal aimed at revising the financial rules applicable to the annual budget of the European Union ("EU Financial Regulation"). The proposal covers several matters which involve the processing of personal data by the EU institutions and by entities at Member State level. One of the most significant new elements introduced by the proposal is the possibility to publish decisions on administrative and financial penalties. Such publication would entail the disclosure of information about the person concerned in an identifiable way. The EDPS believes that this provision does not meet the requirements of data protection law. To better comply with data protection rules, it should be improved by explicitly indicating the purpose for the disclosure and by ensuring the consistent application of the possibility of what is in fact naming and shaming of persons, with use of clear criteria to demonstrate the necessity of the disclosure."

Federal Reserve Bank of New York: "Senior financial supervisors from ten countries — collectively, the Senior Supervisors Group (SSG) — issued a report on December 23, 2010 that evaluates how financial institutions have progressed in developing formal risk appetite frameworks and in building out highly developed IT infrastructures and firm wide data aggregation capabilities. The report — Observations on Developments in Risk Appetite Frameworks and IT Infrastructures — concludes that while firms have made progress in developing risk appetite frameworks and have begun multiyear projects to improve IT infrastructure, considerably more work must be done to strengthen these practices. In particular, the aggregation of risk data remains a challenge, despite its criticality to strategic planning, decision making and risk management."

"The Information Commissioner’s Office (ICO) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals." Snipped from November 3, 2010 letter from ICO to Global Privacy Counsel, Google France: "My office now understands that GSV (Google Street View) cars driving in the UK before May 2010 were equipped with the same equipment as the GSV cars in countries where regulators found some instances where entire emails and URLs were captured, as well as passwords. As such, my office believes that while most of the payload data gathered from the UK is fragmentary, in some instances it is possible that entire emails and URLs were captured, as well as passwords. It is my view that the collection of this information is a serious breach of the first data protection principle..."

"What happens to your personal data when you board a plane, open a bank account, or share photos online? How is this data used and by whom? How do you permanently delete profile information on social networking websites? Can you transfer your contacts and photos to another service? Controlling your information, having access to your data, being able to modify or delete it – these are essential rights that have to be guaranteed in today's digital world. To address these issues, the European Commission today set out a strategy on how to protect individuals' data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU. This policy review will be used by the Commission with the results of a public consultation to revise the EU’s 1995 Data Protection Directive. The Commission will then propose legislation in 2011."

EPIC: "Following numerous protests around the world, Google has ended its illegal collection of wifi data transmissions. The company, which originally claimed it was not even collecting wifi data, was forced to admit that the practice has been ongoing for three years in more than thirty countries, following an independent investigation initiated by European privacy officials. Investigations are still underway to determine the extent of Google's liability. EPIC wrote to the FCC earlier this year, pointing out that the practice violated US wiretap laws."

• EPIC - Investigations of Google Street View
  
• Official Google Blog: "Creating stronger privacy controls inside Google: "In May we announced that we had mistakenly collected unencrypted WiFi payload data (information sent over networks) using our Street View cars. We work hard at Google to earn your trust, and we’re acutely aware that we failed badly here. So we’ve spent the past several months looking at how to strengthen our internal privacy and security practices, as well as talking to external regulators globally about possible improvements to our policies."

EU Passenger Name Record (PNR) External Strategy (9/21/10): "The European Commission adopted today a package of proposals on the exchange of Passenger Name Record (PNR) data with third countries (countries outside the EU), consisting of an EU external PNR strategy and recommendations for negotiating directives for new PNR agreements with the United States, Australia and Canada."

EPIC: "International watchdog Privacy International has announced the launch of a new website for bringing transparency to "technical mysteries" behind controversial systems. Cracking the Black Box identifies key questions regarding mysterious technologies and asks experts, whistleblowers, and other concerned parties to "help crack the box" by anonymously contributing ideas and input. The organization responsible for the technology in question is then invited to provide an official response. The first two issues addressed on the PI site are the Google Wi-Fi controversy and the EU proposal to retain search data."

Article 29 Data Protection Working Party Press Release, Brussels, 26 May 2010: EU data protection group says Google, Microsoft and Yahoo! do not comply with data protection rules

Follow up to previous postings on government implementation of whole body scanning technology at airports, via EPIC: "A meeting between top United States counter-terrorism officials and European counterparts ended in Madrid today with no agreement to restart a program that gave the US access to European financial data. The Terrorist Finance Tracking Program operated in secret from 2001 to 2006. European legislators objected to the program as a violation of EU privacy law. There also appeared to be no EU support for the further deployment of body scanners in European airports. EPIC has raised several objections to the body scanner program, including a letter with Ralph Nader to the administration, Congressional Testimony, and open government litigation, which revealed that the devices store and record images."

The eYouGuide, Europe's first online tool giving consumers practical advice on their "digital rights" under EU law is now available in 10 languages. "The eYouGuide was launched in Strasbourg on 5 May 2009 (see IP/09/702). The guide provides information on a number of issues related to online activities, such as shopping online, networking, uploading and downloading content and making online payments, just to mention a few. It is meant as a tool to improve consumers' awareness and confidence in the digital environment. The website will be updated and extended to more EU languages at the beginning of 2010."

Review of the European Data Protection Directive, by Neil Robinson, Hans Graux, Maarten Botterman, Lorenzo Valeri

Database State, Executive Summary and Full Report - By Ross Anderson, Ian Brown, Terri Dowty, Philip Inglesant, William Heath, Angela Sasse, Foundation for Information Policy Research (March 2009)

News release, September 29, 2008: "Europe could take the lead in the next generation of the Internet. The European Commission today outlined the main steps that Europe has to take to respond to the next wave of the Information Revolution that will intensify in the coming years due to trends such as social networking, the decisive shift to on-line business services, nomadic services based on GPS and mobile TV and the growth of smart tags. The report shows that Europe is well placed to exploit these trends because of its policies to support open and pro-competitive telecom networks as well as privacy and security. A public consultation has been launched today by the Commission on the policy and private sector responses to these opportunities. The Commission report also unveils a new Broadband Performance Index (BPI) that compares national performance on key measures such as broadband speed, price, competition and coverage. Sweden and the Netherlands top this European broadband league, which complements the more traditional broadband penetration index used so far by telecoms regulators."

• The Commission Communication on Future networks and the Internet
  
• The public consultation on the Internet of Things
  
• Press factsheet: Broadband Performance Index - Monitoring high-speed Internet access in the EU

Official Google Blog: "we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users."

Freedom, Security, Privacy – European Home Affairs in an open world - Report of the Informal High Level Advisory Group on the Future of European Home Affairs Policy ("The Future Group"), June 2008

EPIC: "The International Working Group On Data Protection in Telecommunications has released a report and guidance (pdf) on privacy in social networking services. The report identifies risks to privacy and security, and provides guidance to regulators, service operators and users to counter these risks. Risks include the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces. Regulators should ensure openness, and oblige data breach notification. Providers must be transparent; live up to promises made to users; and use privacy friendly defaults. Privacy and consumer groups are also
recommended to raise the awareness of regulators, providers and the general public."

Barry Steinhart, director of the ACLU Technology & Liberty Project: April 16, 2008 Letter from the ACLU to the President of the European Union's Article 29 Working Group urging investigation of NSA spying.

Legally eHealth: Putting eHealth in its European Legal Context. Legal and regulatory aspects of eHealth Study report March 2008.

EPIC: "European privacy officials have established "a clear set of responsibilities" on search engine companies regarding their handling of user data. The opinion, issued by the Article 29 Working Group, states that the European Union Data Protection Directive requires search engines to "delete or irreversibly anonymise personal data once they no longer serve the specified and legitimate purpose" for which they were collected. This requirement has particular significance for search engines, because European privacy rules classify Internet Protocol (IP) addresses as "personal data." The opinion further holds that European privacy laws generally apply to search engines "even when their headquarters are outside [Europe]," and requires that search engines must delete personal data within six months of collection. Earlier this year, EPIC urged the European Parliament to protect the privacy of search histories. For more information, see EPIC's Search Engine Privacy page."

Cybercrime Legislation - Country profiles: "These profiles have been prepared within the framework of the Council of Europe’s Project on Cybercrime in view of sharing information on cybercrime legislation and assessing the current state of implementation of the Convention on Cybercrime under national legislation. They do not necessarily reflect official positions of the countries covered or of the Council of Europe."

Follow up to previous postings on the Google-DoubleClick merger, this announcement today from Eric Schmidt, Google Chairman and CEO: "I'm pleased to share the news that we completed our acquisition of DoubleClick today. Although it's been nearly a year since we announced our intention to acquire DoubleClick last April, we are no less excited today about the benefits that the combination of our two companies will bring to the online advertising market."

"The Safer Internet plus programme aims to promote safer use of the Internet and new online technologies, particularly for children, and to fight against illegal content and content unwanted by the end-user, as part of a coherent approach by the European Union."

Press release: "In connection with the 5th Safer Internet Day1 on 12 February 2008, Eurostat, the Statistical Office of the European Communities, presents a selection of statistics concerning internet activities, security concerns and virus attacks. The Safer Internet Day is part of a global drive to promote a safer Internet for all users, in particular younger people, and is organised by Insafe, a European internet safety network co-funded by the European Commission...In the EU27 in 2007, nearly a quarter of internet users had had a computer virus in the preceding 12 months, which resulted in a loss of information or time. Virus attacks were most frequent in Lithuania (41% of users), Slovenia (35%) and Malta (34%) and least common in the Czech Republic (7%), Estonia (15%) and Sweden (16%)."

"The aim of the Data Protection Day is to give European citizens the chance to understand what personal data is collected and processed about them and why, and what their rights are with respect to this processing. They should also be made aware of the risks inherent and associated with the illegal mishandling and unfair processing of their personal data. The objective of the Data Protection Day is therefore to inform and educate the public at large as to their day-to-day rights, but it may also provide data protection professionals with the opportunity of meeting data subjects."

European Security Research Agenda: European Commission Working documents: Public-Private Dialogue in Security Research and Innovation: Summary of the Impact Assessment (SEC (2007); Public-Private Dialogue in Security Research and Innovation: Impact Assessment (SEC (2007)

Heise Online: "The world's number one search engine Google is calling for international standards for data protection. "Three quarters of the countries in the world have no privacy regimes at all", Peter Fleischer, Google's Privacy Chief, explained at a conference organized by UNESCO, the UN's Education, Science, and Culture Organization, on the topic of "Internet Ethics". What's worse, Fleischer pointed out that even the countries in Europe and the OECD (Organization for Economic Collaboration and Development) that do have such laws wrote them up back when the Internet did not have the impact it currently does."

Press release: "Secretary Michael Chertoff made the following statement: "I am pleased to have signed an important agreement with the European Union today that will allow the Department of Homeland Security to continue using Passenger Name Record (PNR) data as an essential screening tool for detecting potentially dangerous transatlantic travelers."

Follow up to the Google DoubleClick Merger In the News, from EPIC: The European Commission Directorate on Competition will review Google's $3.1 billion merger with internet advertising company DoubleClick. The news comes a few days after European consumer group BEUC sent a letter (pdf) urging Commission to investigate the merger. The Article 29 Data Protection Working Party recently expanded (pdf) an investigation of Google's data retention policies to include the policies of all search engines. The U.S. Federal Trade Commission also is reviewing the merger."

EPIC reports: "Google will cut the period that it retains user data from a maximum of 24 months to a maximum of 18 months, the company said in a letter (pdf) to the Article 29 Data Protection Working Party. Last month, the Working Party began to investigate (pdf) Google's privacy practices and asked whether the company has "fulfilled all the necessary requirements" to abide by EU privacy rules. In its letter, Google did not adequately explain why it needed to retain user data for 18 or 24 months, except to vaguely say that the data would help Google build new services, possibly help prevent fraud and abuse, and that the U.S. and EU member states might impose a 24-month retention requirement."

European Union Committee, Home Affairs (Sub-Committee F), The EU/US Passenger Name Record (PNR) Agreement, HL Paper 108 is published today Tuesday 5th June, 2007 (139 pages, PDF). [see also HTML version (browsable)]

"The Report on Digital Preservation, Orphan Works and Out-of-Print Works, Selected Implementation Issues is an advisory report on copyright issues to the European Commission, presented on 19 April by the EU's High Level Expert Group on Digital Libraries - which includes, inter alia, stakeholders from the British Library, the Deutsche Nationalbibliothek, the Federation of European Publishers and Google."

Taking steps to further improve our privacy practices: Posted by Peter Fleischer, Privacy Counsel-Europe, and Nicole Wong, Deputy General Counsel: "When you search on Google, we collect information about your search, such as the query itself, IP addresses and cookie details. Previously, we kept this data for as long as it was useful. Today we're pleased to report a change in our privacy policy: Unless we're legally required to retain log data for longer, we will anonymize our server logs after a limited period of time. When we implement this policy change in the coming months, we will continue to keep server log data (so that we can improve Google's services and protect them from security and other abuses)—but will make this data much more anonymous, so that it can no longer be identified with individual users, after 18-24 months...Just as we continuously work to improve our products, we also work toward having the best privacy practices for our users. This includes designing privacy protections into our products (like Google Talk's “off the record” feature or Google Desktop’s “pause” and “lock search” controls). This also means providing clear, easy to understand privacy policies that help you make informed decisions about using our services. After talking with leading privacy stakeholders in Europe and the U.S., we're pleased to be taking this important step toward protecting your privacy. By anonymizing our server logs after 18-24 months, we think we’re striking the right balance between two goals: continuing to improve Google’s services for you, while providing more transparency and certainty about our retention practices. In the future, it's possible that data retention laws will obligate us to retain logs for longer periods. Of course, you can always choose to have us retain this data for more personalized services like Search History. But that's up to you. Our engineers are already busy working out the technical details, and we hope to implement this new data policy over the coming months (and within a year's time). We’ll communicate more as we work out these details, but for now, we wanted you to know that we’re working on this additional step to strengthen your privacy. If you want to know more, read the log retention FAQ (PDF)."

"The European Commission in co-operation with the Member States has finalised the roadmaps for the action plans on Pan-European Electronic Identity Management, Electronic Procurement and Inclusive eGovernment. In view of the continuous and fast evolution in these areas, we shall conduct an annual revision of these roadmaps.

Press release: "The Commission today called on all regulatory authorities and stakeholders in Europe to step up the fight against spam, spyware and malicious software. Despite existing EU legislation to outlaw spam in Europe, Europe continues to suffer from illegal online activities from inside the EU and from third countries, the Commission underlines in a new Communication. The Communication stresses that although internet safety is on the political agenda for some time, national authorities should step up their actions to prosecute illegal online activities."

Follow-up to previous postings on the SWIFT online financial cooperative network, this November 23, 2006 corporate press release:

Press release, November 23 2006: Ofcom [the regulator for the UK communications industries] today announced that the use of certain low power FM transmitters, which wirelessly connect MP3 players and other personal audio devices to radios and in-car entertainment systems, will be legal for use in the UK from 8 December 2006...in response to consumer demand Ofcom has led negotiations in Europe to develop a harmonised technical approach designed to limit the potential of interference to other wireless devices. The FM transmitters that meet these specifications, and which will be legal to use in the UK, will carry a CE mark indicating approval for sale in the European Union. Their use will be legalised under the Wireless Telegraphy (Exemption) (Amendment) Regulations 2006 which come into effect on 8 December. The regulations set out the technical specifications for FM transmitters."

Directive on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing (22 pages, PDF)

Opinion No. 37 / 2006 of 27 September 2006, O. Ref.: SA2 / A / 2006 / 037- CONCERNING: Opinion on the transfer of personal data by the CSLR SWIFT by virtue of UST (OFAC) subpoenas."During its session of 5th July 2006, the Commission had already made the decision to officially start an investigation into this case on grounds of article 32 § 1 DPL1, regarding the processing of personal data under the responsibility of SWIFT, a cooperative society under Belgian law, with headquarters in Belgium and with limited liability...As far as the communication of personal data to the UST is concerned, the Commission is of the opinion that SWIFT finds itself in a conflict situation between American and European law and that SWIFT at the least committed a number of errors of judgement when dealing with the American subpoenas. It must be considered a serious error of judgement on the part of SWIFT to subject a massive quantity of personal data to surveillance in a secret and systematic manner for years without effective grounds for justification and without independent control in accordance with Belgian and European law..."

EU - European Data Protection Supervisor: Annual Report for 2005 - Published August 2006 (125 pages, PDF)

BBC: "The European Court of Justice has annulled an EU-US agreement requiring airlines to transfer passenger data to the US authorities."

Commission Staff Working Directive, 20/1/06.

Nº 98/2005: 22 November 2005, Opinion of the Advocate General in cases C-317/04, C-318/04, Parliament/Council, Principles of Community law - press release - Advocate General Léger Proposed Annulment of the Commission and Council Decisions on Transfer to the American Authorities of Personal Information Concerning Air Passengers.

UK digital rights group sets up - "The main aims of the Open Rights Group are: to foster a grassroots community of campaigning volunteers; to connect journalists and the press with digital rights experts and activists."

The EDRI-gram newsletter reported on the release of the new EU Commission explanatory memorandum on data retention, July 20, 2005 (16 pages, PDF).

NewsForge has a detailed and very interesting posting on how a group of Italian attorneys have formed a consortium to facilitate the distribution of, and training programs about how to efficiently use open source applications for a range of document management applications as well as e-filing of court documents.

Jay Cline reviews a range of popular e-commerce websites that offer consumers a defined list of privacy protections and provides general scores for those that implement portions of the European privacy principles.

RFID Tags and Contactless Smart Card Technology: Comparing and Contrasting Applications and Capabilities

Consumer product manufacturer Procter & Gamble plans to implement data privacy protection software on its websites (numbering in the hundreds) to meet compliance requirements in Europe, which after testing, will be followed by rollouts in the U.S. and other countries.

2 Universities Team Up to Create Free, Open-Source Financial Software for Campuses

A Global Push to Protect Information Online

See the DHS press release, and the Fact Sheet: US-EU Passenger Name Record Agreement Signed. The transfer of data includes passenger email addresses, phone numbers and credit card information.

From Privacy International: "On May 17, 2004 the European Commission approved an agreement to transfer passenger details to the U.S. Department of Homeland Security, an agreement established in the name of, but that has little to do with, the war on terror." Privacy International has published this report, Transferring Privacy and Inadequate Adequacy, documenting what the organization contends entails the release of data to which the U.S. is not statutorily entitled.

From the French Republic, Ireland, the Kingdom of Sweden and the United Kingdom, date of receipt, 28 April 2004:

MEPs take on EU and US over air data deal:

From the World Privacy forum, this press release and letter (pdf) on behalf of a coalition of over two dozen privacy and advocacy groups, addressing Google's new webmail service, Gmail, specific to the retention and repurposing of user data for e-commerce and law enforcement applications.

From Statewatch, April 1:

The EU's Article 29 Working Party on data protection has produced a report on "Video Surveillance". The report sets out guidelines under the 1995 Directive on data protection in relation to surveillance by video cameras in public and work places. [Statewatch News Online] The report states that:

Quoting from the 16th December 2003 speech by Frits Bolkestein, Member of the European Commission in charge of the Internal Market, Taxation and Customs concering EU Data Protection:

With the expiration of an October 31 deadline for implementing the Directive on Privacy and Electronic Communications, the European Commission indicated that legal action against nine member states may be necessary to ensure their compliance. The directive addresses e-privacy issues that include spam, the use of cookies, and the protection of customer data by ISPs.

"As from today EU Member States must comply with the Directive on Privacy and Electronic Communications, which sets EU standards for the protection of privacy and personal data in electronic communications. The Directive includes basic obligations to ensure the security and confidentiality of communications over EU electronic networks, including internet and mobile services. It sets out specific conditions for installing so-called “cookies” on users' personal computers and for using location data generated by mobile phones. Notably, the Directive also introduces a 'ban on spam' throughout the EU." [Link]

From the Wall Street Journal, October 10:

Via Statewatch, this statement by the European Parliament on the need for strict restrictions on the collection, dissemination and maintenance of non-U.S. citizen personal data collected by airlines for transatlantic flights.

25th International Conference of Data Protection & Privacy Commissioners Sydney, 12 September 2003 - Resolution concerning the Transfer of Passengers’ Data.

From the independent group, the Foundation for Information Policy Research, this new guide, published September 8, Implementing the EU Copyright Directive, (128 pages, pdf). See this link for a table of contents to download specific sections in html, which include the following:

From Statewatch.com:

From European Digital Rights, an association of privacy and civil rights organizations in Europe:

Via StateWatch: The EU's Article 29 Data Protection Working Party has issued a strong report on access by the USA to personal data on passengers flying from the EU to the USA.

Copyright and licensing for digital preservation. "Libraries cannot preserve digital material they do not own. Adrienne Muir describes a new project to identify copyright and licensing issues that currently hinder digital preservation and looks at whether new legislation (UK) will help."

From Internet Magazine, news of the publication, by the UK Information Commissioner, responsible for data protection & freedom of information, of the third part of the Employment Practices Data Protection Code - Monitoring at Work, the Do's & Don't for workplace monitoring. Links to these documents, and to the other parts of the guide, are available here. Also see the Trades Union Congress website, called workSMART, that provides resources on workplace monitoring and internet policies.

From UPI: "A proposed European constitution...calls for an elected president of Europe and a binding bill of rights, but at Britain's insistence, it drops the notion of creating a federal "United States of Europe." An edited version of the draft is available here.

The full-text of the six documents (in pdf) are as follows:

European Digital Rights (EDRi), a non-profit coalition of privacy/advocacy groups based in Brussels, launched a campaign against the transfer of European travellers' Passenger Name Records (PNR) to U.S. Customs. See the following related documents:

Contrary to the EU Data Protection Directive (pdf), a recent study determined that approximately 44% of European websites surveyed lack required privacy protection policies. The results indicated the greatest complaince was evidenced by UK sites and the worst by French sites.

According to the Chronicle of Higher Education, the recently amended German Copyright Law (pdf - in German) now exempts universities from fees associated with providing students and scholars with copyrighted materials in a digital environment. For additional information, please see this April 10 posting from amiga-news.de, New Copyright as Good as Succeeded, which provides some additional background about the law, as well as a link to an article from the German IT news publication, Golem (no translation available), and one from Der Spiegel (also in German). Anyone who can provide translation assistance for the law and these articles for beSpacific readers, please contact me. My thanks in advance. See also this brief article, Germany trying to copy DMCA (in English).

See also my recent postings on U.S. copyright and distance learning issues here and here.

The Information Law Weblog was launched March 28, is by librarian/researcher/author Paul Pedley, and focuses on copyright, data protection and freedom of information issues in the UK. Well worth a visit. (Thanks to DC for the link.)

EPIC continues to expand its challenge to the CAPPS II System by documenting objections to the progam that impact European airline passengers, in a statement (pdf) submitted to the EU Committee on Citizens' Freedoms and Rights, Justice and Home Affairs for a hearing held March 25.

See also this announcement today: Spain proposes data on all airline passengers to be sent to law enforcement agencies and for extra checks on all foreign nationals entering the EU.

From StateWatch, this report (PDF) from the European Parliament's Committee on Citizens' Freedoms expressing strong concerns about the collection and use of EU passenger data by the INS and TSA.

See also How US Customs bounced the European Commission into a quick decision.

EU Ministers agreed to establish a new criminal offense, "illegally accessing an information system," which would include incarceration for "serious cases." The text of this new policy is buried on page 19 of this 27 page document (PDF), under the heading "Attacks Against Information Systems." See also this related article in today's New York Times, Europe Hacker Laws Could Make Protest a Crime.

See also a recent press release: European Commission proposes creation of Network Security Agency to boost Cyber Security in Europe.

The European Commission on Data Protection Working Party issued a new directive on January 29 addressing the protection of personal online data and the enforcement of IP rights. The Working Document, On-line Authentication Services, is here.

This recommendation to the Council of the European Union from 38 Members of Parliament from 7 political groups, conveys the groups opposition to the EU Data Directive which permits data mining, document retention and electronic surveillance programs involving citizens. The group states that these actions are "a violation of art. 8 of the European Court of Human Rights."

ZDNet UK is reporting that a coalition of prominent U.S. high tech companies, calling themselves the Global Privacy Alliance (no web site available) wants the EU to relax its data protection laws to stimulate international e-commerce through the transfer of personal data collected on customers.

StateWatch.org reports that the Commissioners' stated: "Where traffic data are to be retained in specific cases, there must therefore be a demonstrable need, the period of retention must be as short as possible and the practice must be clearly regulated by law, in a way that provides sufficient safeguards against unlawful access and any other abuse. Systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate and therefore unacceptable in any case."