PL&B International E-news, Issue 48
13 October, 2006
© Privacy Laws & Business 2006
- Italy's Data Protection Authority stops TV show on politicians' drug use
- $1million fine for US child privacy violation
- France's CNIL uses its new fining power for the first time (update)
- US and EU reach interim PNR pact
1. Italy's Data Protection Authority stops TV show on politicians' drug use
On Tuesday 10 October, the Italian Data Protection Authority, the Garante, suspended transmission of a satirical TV programme which used clandestine methods to find evidence of drug use among politicians.
The programme, Le Iene (the Hyenas), announced on Monday that it had secretly tested 50 lower house deputies and found evidence that 16 had taken drugs in the previous 36 hours. Twelve tested positive for cannabis and four for cocaine.
A journalist pretended to be an interviewer for a non-existent satellite TV show and asked the deputies to comment on the 2007 draft budget. A make-up artist wiped their foreheads between filming. Cells collected by the wiping were then tested for drugs. The Garante decided to block the programme, scheduled for Tuesday evening, because the tests to collect information about health had been conducted in a clandestine way. Under Italy's Data Protection Act, the authority has the power to block the processing of personal data. In this case the data was not only personal, but related to health, and so qualified as ‘sensitive'. The use of the sensitive personal data in preparing and broadcasting a television programme would have amounted to ‘processing'.
If any reader is aware of any similar case, in any country, of data protection authorities stopping the broadcast of programmes, please email James Michael, editor, international newsletter at James.Michael@privacylaws.com .
2. $1 million fine for US child privacy violation
The US Federal Trade Commission has imposed a $1 million fine on a social networking website, Xanga, for collecting, using, and disclosing personal details of children under 13, an offence under the Children's Online Privacy Protection Act (COPPA). The company has admitted the offences and accepted the fine.
3. France's CNIL uses its new fining power for the first time (update)
Using its new powers under the Data Protection Act 2004 for the first time, the French Data Protection Authority, the CNIL, has imposed a fine of 45,000 Euros on Credit Lyonnais, one of France's leading
financial institutions. This substantial fine was for ‘abusive' filing of information about clients with the Bank of France, and for impeding the CNIL in its investigation of complaints. Credit Lyonnais accepted the fine by publishing the announcement of the offences and penalty in Le Figaro and La Tribune, in the words ordered by the CNIL.
The CNIL fined Crédit Lyonnais for improperly placing the names of several individuals in national files, maintained by the Bank
of France, of persons with a negative credit history, including one person who was placed on the adverse credit list for allegedly not paying a debt which he had in fact paid.
The CNIL was particularly distressed that Crédit Lyonnais took long periods of time (in at least one case, about a year) to provide explanations for such actions in cases that the CNIL initiated after complaints by the affected
individuals. As a result, the CNIL found that Crédit Lyonnais had obstructed its investigations.
The fine was calculated by multiplying the penalty by three, and the publication of the fine in two newspapers was ordered because the CNIL found that the bank had been guilty of mauvaise foi (bad faith). By imposing the fine for impeding the inquiry, the CNIL has sent a strong message that it intends to use its new powers vigorously, and that French owned companies are just as subject to its regulation as French subsidiaries of U.S.-based companies such as McDonald's and Exide Technologies (PL&B International June/July 2005 p.5) Credit Lyonnais has announced the introduction of control procedures to prevent such breaches in future. The CNIL has warned that it will decide on more sanctions, including fines, in the near future, probably involving companies in banking and e-commerce.
More information in French: http://www.cnil.fr/index.php?id=2104&news[uid]=381&cHash=20ea8ddf3c
4. US and EU reach interim PNR pact
Under the US/EU agreement reached on Friday 6 October on disclosure of passenger name records (PNR), the FBI and other American agencies will have easier access to sensitive personal information on passengers flying from the EU to the US. Negotiations had stalled over the US demand for fewer restrictions on sharing the passenger records among US authorities. Franco Frattini, EU justice commissioner, said that he had agreed to allow easier transfer of information between US authorities after Washington gave fresh guarantees over data protection. Speaking at an EU justice ministers' meeting in Luxembourg, he said: “We are not talking about more data or more exchanges, we are talking about making it easier to transmit data.”
US Secretary of Homeland Security Michael Chertoff said: “I applaud my counterparts at the European Union for agreeing with me on the importance of sharing this passenger data to defend us against terrorism.” He emphasised the EU and US's “joint goal of combating terrorism while respecting our joint commitment to fundamental rights and freedoms, notably privacy”. Requests from other agencies that might conduct counter-terrorism investigations, such as the US Treasury and the Department of Justice, would have to be examined on a case-by-case basis, EU officials said, and these authorities would not have direct electronic access to the records.
EU officials said that Washington will continue to store the data for up to three and a half years. The US wanted to keep the data for longer periods, according to airline officials, but had not sought the 50-year period rejected by the EU in 2004.
The US will also retain the right to share the records with other governments. The new pact, finalised after a nine-hour video conference, is valid until July 2007. Talks for a longer-term agreement will begin in November.
When the two sides failed to reach agreement ahead of a September 30 deadline there was concern in some EU states that airlines would break domestic data protection laws by continuing to pass on the passenger information. An official for the German government's federal data protection commissioner said it was a "matter of concern". "What is the US doing with the information? At present we have no way of finding out," he said. However, airlines were told that they were unlikely to be fined for breaching national laws. The German data protection agency said it would not be prosecuting Lufthansa, the national carrier, as "the airlines are not those causing the problems in the first place". They could have lost US landing rights if they had not transmitted data.
Click here for further information about subscribing to the international newsletter.