By Barbora Lezatková

Czech Data Protection Office Against Excessive Use of Cameras
The Czech Data Protection Office recently warned against the excessive use of cameras. The operation of cameras falls within the scope of the Czech data protection law if images and/or sounds are recorded, and if such recordings are used for identifying individuals. Video recording systems may be used only if it is not possible to achieve the objective of monitoring by other means that do not interfere with the privacy of individuals. When carrying out checks in the past year, the Czech Data Protection Office has discovered that video recording systems often are operated only as a precautionary measure without any attempts to employ other means to protect the property.

Barbora Lezatková is an Advokátka at Linklaters, v.o.s., advokátní kanceláz, based in Prague. She may be reached at

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

or at (420) 221 622 111.

By Pascale Gelly

CNIL Issues Its Annual Report
The Commission nationale de l'informatique et des libertés (CNIL) activities have increased dramatically in the last three years by an estimated 570 percent. These activities also have changed in nature and philosophy. Important efforts were made toward simplification, including the issuance of four standards for simplified notifications; five exemptions from notifications; and eight unique authorizations.

The CNIL also has made use of its new powers granted by the 2004 Law by issuing 132 authorizations and 19 refusals of authorizations (use of SSN, use of digital prints). It also used its enforcement powers by sanctioning
18 data controllers and issuing four warnings.

In 2006, the CNIL received some 73,800 notifications and 3,572 complaints. The report demonstrates how understaffed the authority is (95 agents) in comparison with its European counterparts. "Among the 27 members of the European Union, France is one of the last 3 countries in terms of number of allocated agents," according to the report. The UK and Germany have respectively 270 and 400 agents and the Czech Republic has 113 agents for only 10 million of inhabitants (vs. 64 million in France). The report describes the topics addressed last year by the CNIL: concern of a surveillance society, Passenger Name Records, political solicitation, measure of diversity and RFID, among others.

CNIL Sanctions in 2006
In 2006, the CNIL initiated about 100 procedures because of complaints or as a result of an on-site investigation. In most cases, no sanctions were issued as infringers complied with the CNIL's injunction within the given time frame (10 days to 3 months). Still, 11 companies were ordered to pay fines ranging from $420 and $63,000; seven controllers received a formal injunction to stop or modify the concerned data processing; and four received a mere warning. Most of the cases involved banks, telecom operators, companies making direct marketing campaigns, and those firms that failed to cooperate with the CNIL. A certain number of decisions were published. The total amount of fines was about $235,000.

Delocalization of Call Centres and IT Outsourcing
The CNIL has formed a working group to address the implications of delocalizations of call centres and IT outsourcing. The working group is expected to issue proposals by the end of 2007.

Is an IP Address Personal Data? Paris Court of Appeal: No. CNIL and the Article 29 Working Party: Yes
Last May, in two cases, the Paris Court of Appeal ruled that IP addresses are not personal data. As a result, the collection of IP addresses of computers on which MP3 files were downloaded illegally has been considered outside
of the scope of the Data Protection Law of 1978.

The court considered that individuals could not be identified even indirectly. The CNIL, expressing great concern about this decision, brought it to the attention of the Ministry of Justice in the hope that the ministry files a request before the Supreme Court. Ironically, one month after the court's rulings, the Article 29 Working Party adopted an opinion on the concept of personal data confirming the CNIL's approach.

The Controversy on Diversity Continues
A legal amendment to the draft bill on immigration and integration, adopted by a Commission of the National Assembly at the end of September, has reignited the controversy around the need to measure diversity, which is criticized by part of the French society considering that it would be a denial of the right to equality.

The text intends to authorize the conduct of research on diversity of origins to permit a better integration. The CNIL considers that this text is an implementation of its recommendation since, if finally approved, it would modify the Data Protection Act to subject such researches to the CNIL prior authorization. In May 2007, the CNIL issued a list of 10 recommendations
on the measure of diversity and the protection of personal data.

Reorganization at the CNIL
The CNIL services have been reorganized recently in order to ensure a transversal cooperation among services to better serve the CNIL's strategy:
education/enforcement. Several promotions have followed. A department of experts, the Department of Legal and International Affairs and of Expertise is now led by Sophie Vuillet-Tavernier, seconded by Sophie Nerbonne. Clarisse Girot and Guillaume Desgens, respectively, are appointed head of European and International Affairs, and head of Legal Affairs. Another important department is the Department of Relationship with Users and of Controls, whose Director is Jeanne Bossi. Thomas Deautieu is now leading the investigation department.

Pascale Gelly is Avocat à la Cour within SCM Lambot Gelly Soyer. She may be reached at

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

By Shannon Ballard, CIPP/G, and Lauren Saadat, CIPP/G

ISO Developing Privacy Framework
The International Standards Org-anization (ISO), an international standard-setting body based in Geneva, is developing a Privacy Framework standard.

According to a statement from the ISO to the International Conference of Data Protection and Privacy Commission-ers (ICDPPC), "the standard will provide a framework for defining privacy safeguarding requirements as they relate to personally identifiable (PI) information processed by any information and communication system in any jurisdiction. The framework will be applicable on an international scale and will set a common privacy terminology; define privacy principles when processing PI information; categorize privacy features; and relate all described privacy aspects to existing security guidelines. The privacy framework will serve as a basis for desirable additional privacy standardization initiatives, for example, a technical reference architecture; the use of specific privacy technologies; an overall privacy management; privacy impact assessments; and engineering specifications."

According to working documents, the standard, based on the EU Directive 95/46/EC on the Protection of Personal Data, applies to government and the private sector, and therefore has the potential to impact U.S. government systems.

Canada, this year's host of ICDPPC, has drafted a resolution for presentation at the September meeting calling for support of the ISO standards and active involvement of members in the standards development process. The U.S. Department of Homeland Security has representation on the U.S. team to the ISO.

Shannon Ballard and Lauren Saadat are Associate Directors of International Privacy Policy at the U.S. Department of Homeland Security. They can be reached at

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


By Eduardo Ustaran

House of Lords Supports Data Breach Notification Law
A wide-ranging inquiry into personal Internet security conducted by the House of Lords' Science and Technology Committee has concluded that the government should pass a law requiring organisations to notify all affected parties in the event of a loss of confidential data.

According to Lord Harris of Haringey, a data breach notification law would "concentrate the minds" of companies holding data, because loss of data would have an impact on that organisation's reputation. The Information Commissioner's Office (ICO) is, however, more cautious about the merits of compulsory breach notification measures. In particular, the ICO wishes to avoid situations where people are unnecessarily notified of a privacy breach.

Ministry in Breach of Subject Access Right
The ICO has found the Northern Ireland Office, which is the UK Government department responsible for Northern Ireland affairs (NIO), in breach of the Data Protection Act after it failed to supply an individual with information it held on him.

TheICO investigated the NIO following a complaint from an individual that the authority had not responded to a subject access request. Under the Data Protection Act, individuals have the right to find out what information an organisation holds on them. The ICO now has required the NIO to sign a formal undertaking to ensure that all personal information is processed in accordance with the Data Protection Act. The NIO also must provide training to all employees who deal with subject access requests under
the act.

Eduardo Ustaran is a Partner at Field Fisher Waterhouse LLP, based in London. He may be reached at

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it


By Michael T. Spadea

Loan Applicants' Personal Information Stolen, a wholly owned subsidiary of MBNA Europe, which in turn is owned by Bank of America, had the names, addresses, phone numbers and financial details of persons who applied for loans, stolen and subsequently provided to rival loan companies.

The company states that the stolen information appears to only have been used for marketing purposes. Victims report receiving aggressive marketing calls and increased mail regarding financial products. is offering to victims one year's free subscription to a credit monitoring service. Potential victims, the ICO and the police have been notified.

EU Claims UK Data Protection Act Inadequate
The European Commission states that the UK Data Protection Act does not adequately implement articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28 of the EU Data Protection Directive.

These articles refer to manual files, sensitive personal data processing, fair processing notices, rights of data subjects and exemptions from these rights, data subject's remedies when a breach occurs, organizational liability for breaches, transfer of personal data outside the EU, and the powers of the Information Commissioner. The EU and UK are currently in discussions, but the EU has reportedly threatened legal proceedings if negotiations are not fruitful.

Michael Spadea ia a London-based privacy attorney. He may be reached at

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

or at +44 (077) 80624543.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»