A comparative study undergone in 2013 shows that there are huge variations in the level of Privacy inspections and fines in the EU. While most point towards the UK or Germany, it is actually Spain who is responsible for some 80% of Data Protection fines on the European continent.

1. Privacy enforcement is
strengthened in Australia
Civil penalties exceeding one million euros are possible but gaps
remain in appeals and transparency. By Graham Greenleaf.
Australia’s Privacy Act 1988
now includes considerably
stronger enforcement
powers, including civil penalties of
up to AUD$1.7 million (1.15 million
euros), in effect from 12 March 2014.
This article first outlines the new
powers, deficiencies in appeal rights
and transparency which may reduce
their effectiveness, and the Commis-sioner’s
draft ‘enforcement policy’.
Two further developments remain
unresolved: mandatory data breach
notification (MDBN); and a statu-tory
‘privacy tort’.
The 2014 reforms are a result of
the Privacy Amendment (Enhancing
Privacy Protection) Act 2012 (‘the
Amendments’). It also amended the
Privacy Act by including a new set of
thirteen Australian Privacy Princi-ples
(APPs) to replace the National
Privacy Principles (NPPs) previ-ously
applying to those parts of the
private sector covered by the Act,
and the Information Privacy Princi-ples
(IPPs) applying to the federal
public sector. There is little innova-tive
about the APPs, and in some
respects they will weaken the NPPs
and IPPs.1 None of the thirteen
APPs is, overall, an improvement,
and eight are worse for privacy pro-tection.
2 The new data export provi-sion
will in some cases require more
disclosure by companies. The APPs
Continued on p.3
Search and access back issues by
key words on PL&B's website
Subscribers can now conduct detailed research on data protection and privacy
issues on the Privacy Laws & Business website and access:
• Back Issues since 2000
• Special Reports
• Materials from PL&B events
• Videos and audio recordings
• Search functionality giving you the most relevant content when you need it.
Further information at www.privacylaws.com/subscription_info
To check the type of subscription you currently have, contact
glenn@privacylaws.com or telephone +44 (0)20 8868 9200.
Issue 128 April 2014
NEWS
2 - Comment
Privacy climate is heating up in
Australia and Mexico
5 - EU gives green light to Microsoft cloud
6 - EU DP Regulation’s slow progress
8 - Netherlands: Cookie provision and
legislation on data breach
9 - France: CNIL’s new inspection powers
13 - EU Art.29 DP Working Party publishes
opinion on personal data breach
notification • FTC rejects COPPA
federal pre-emption in Facebook case
16 - Germany issues guidance on CCTV
21 - UK ICO and US FTC sign MoU with
retrospective effect • Google pays 1
million euro fine in Italy • Italy’s
Garante increases inspections
ANALYSIS
10 - Clouded judgement by Sweden’s
Data Inspection Board?
17 - DPAs face different constraints
22 - Spain responsible for 80% of
European DP fines
27 - APEC’s Cross-border privacy rules
system: A house of cards?
LEGISLATION & REGULATION
16 - Mexico DPA enforces the law
25 - Right to be Forgotten: Rewriting an
existing EU privacy right?
30 - Latin America follows EU but with
distinctive national flavours
MANAGEMENT
14 - Internet of Things: Balancing DP
compliance and innovation
18 - New Zealand: Avoiding subject
access disasters

2. COMMENT
ISSUE NO 128 APRIL 2014
PUBLISHER
Stewart H Dresner
stewart.dresner@privacylaws.com
EDITOR
Laura Linkomies
laura.linkomies@privacylaws.com
ASIA-PACIFIC EDITOR
Professor Graham Greenleaf
graham@austlii.edu.au
SUB EDITOR
Tom Cooper
REPORT SUBSCRIPTIONS
Glenn Daif-Burns
glenn.daif-burns@privacylaws.com
CONTRIBUTORS
Ard Jan Dunnik and Feyo Sickinghe
Bird & Bird, Netherlands
Dan Jerker B. Svantesson
Bond University, Australia and
Stockholm University, Sweden
Mauricio Hernández
Bufete Soní, Mexico
Katrine Evans
Office of the New Zealand Privacy Commissioner
Aurélie Pols
Mind Your Privacy, Spain
Gabriela Zanfir
EDPS, Belgium
Dugie Standeford
PL&B Correspondent, UK
PUBLISHED BY
Privacy Laws & Business, 2nd Floor,
Monument House, 215 Marsh Road, Pinner,
Middlesex HA5 5NE, United Kingdom
Tel: +44 (0)20 8868 9200
Fax: +44 (0)20 8868 5215
Email: info@privacylaws.com
Website: www.privacylaws.com
Subscriptions: The Privacy Laws & Business International
Report is produced six times a year and is available on an
annual subscription basis only. Subscription details are at the
back of this report.
Whilst every care is taken to provide accurate information,
the publishers cannot accept liability for errors or omissions or
for any advice given.
Design by ProCreative +44 (0)845 3003753
Printed by Rapidity Communications Ltd +44 (0)20 7689 8686
ISSN 2046-844X
Copyright: No part of this publication in whole or in part may
be reproduced or transmitted in any form without the prior
written permission of the publisher.
© 2014 Privacy Laws & Business
Privacy climate is heating up
in Australia and Mexico
The amendments to Australia’s Privacy Act 1988 came into force
on 12 March and mean major changes. Companies need to note
that the Data Protection Commissioner now has much stronger
powers, including issuing a civil penalty of up to AUS $1.7 million
for a serious or repeated privacy breach. The new principles apply
to businesses with a turnover of at least AUS $3 million (p.1).
In the European Parliament’s text for the EU DP Regulation,
adopted in March, the Right to be Forgotten has been rebranded
and is now called “right to erasure" (Article 17). Data could be
restricted where “the particular type of storage technology does
not allow for erasure and has been installed before the entry into
force of this Regulation”. This is welcome news for companies.
Read an analysis of the Right to be Forgotten on p.25
The Members of the European Parliament (MEPs) also made a
proposal with regard to the one-stop-shop for international
transfers of personal data: a 'lead authority' must consult other
DPAs, and endeavour to reach a consensus. The Regulation would
bring new enforcement powers to many EU DPAs (p.17). But
what will all this cost Member States? A comparative study (p.22)
shows that some EU DPAs such as Spain receive a healthy income
from fines, but others do not. A Latin American roundup (p.30)
and another article on how Mexico’s DPA enforces the Act (p.16)
show that DPAs are becoming more active everywhere.
Sweden’s Data Protection Authority has challenged cloud services
in the last few years. The DPA has been particularly concerned
about subcontractors’ privacy compliance, and whether data
would be deleted after expiration of a contract (p.10).
Looking into trends for 2014, the Internet of Things has reached
take-off in terms of numbers of devices (p.14). Intelligent objects
which collect personal data, resulting in targeted advertising, raise
privacy issues. Finally, read on p.18 tips from New Zealand on how
to cope with a vast number of access requests, and an analysis of
APEC’s Cross Border Privacy Rules on p.27.
Several of these subjects will be covered at PL&B’s 27th Annual
International Conference, New Horizons ~ New Risks, 30 June - 2
July in Cambridge. See www.privacylaws.com/annualconference/
Laura Linkomies, Editor
PRIvACy LAwS & BUSINESS
Contribute to PL&B reports
Do you have a case study or opinion you wish us to publish?
Contri butions to this publication and books for review are
always welcome. If you wish to offer reports or news items,
please contact Laura Linkomies on Tel: +44 (0)20 8868 9200 or
email laura.linkomies@privacylaws.com.
O =========^mofi=OMNQ PRIVACY LAWS & BUSINESS INTERNATIONAL REPORT © 2014 PRIVACY LAWS & BUSINESS

3. ANALYSIS
Spain is responsible for 80% of
European data protection fines
A comparative study shows that there are huge variations in the level of inspections and
fines in the EU. By Aurélie Pols.
It is evident that there is a lack of
alignment amongst European Data
Protection Agencies, and there is a
question about the possible dominance
of the UK DPA in setting the scene for
privacy debate.
I read a variety of European lan-guages.
Switching from French to Eng-lish
on a daily basis, passing through
Dutch, German and now also Spanish,
allows me to get a feel for what data
protection agencies throughout Europe
focus on. Being a data scientist working
with privacy lawyers, and as French
remains my mother tongue, I was sur-prised
to encounter strong discrepan-cies
between what the French CNIL
discussed and how the British ICO
tackled privacy.
while the French talk of the risk of
exclusion from society due to smart
algorithms, the ICO rarely touched
upon the subject. They have heavily
fought spam. The typical example of
French worries is that of data gathered
by health insurers, which could
increase premiums if hamburgers were
paid using a visa card.
The philosophical French remain
allergic to social exclusion as President
of the CNIL, Mme. Isabelle Falque-
Pierrotin, declared in front of France’s
National Assembly back in October
20121.
She additionally touched on more
current subjects such as Facebook’s
facial recognition technology, cloud
computing and Google bundling its
Privacy Policies for which the French
CNIL fined Google 150,000 euros2.
The UK Guardian reported mainly on
the fact that the French CNIL’s website
crashed following the fine3.
Dissent and lack of coordination is
looming within the DPAs, as the Ger-mans
remain fragmented through their
Länder set-ups, the Dutch build a
cookie wall, the French are trying to
get some countries collaborating on
common themes while the Spaniards
started fining for “cookie”-Directive
infringement two months ago.
Such lack of coordination raises
questions about how the upcoming
European Union Data Protection Reg-ulation
will be put into practice once
passed. The European Parliament
voted the EU data protection reform
by a landslide in early March4. It is now
up to the Council of Ministers to agree,
despite the incessant lobbying. At least
the ICO has stopped telling the world
this would be a Directive, not a Regula-tion
as depicted in Wired5 last year.
while a majority of Privacy related
writings point either towards the UK,
due to their natural use of the English
language, or Germany, where suppos-edly
it is a sensitive topic, these are not
the leading countries in terms of pri-vacy
debate.
hArD fActs – the Ico’s exAct
posItIoN AmoNgst eu DpAs
All of the above remain circumstantial
evidence. Hard facts are needed to
back-up the original stance that the UK
DPA, the ICO, should not be consid-ered
as representative for privacy
matters in Europe.
we went to the source, to under-stand
how DPAs work: their finances,
their preferred sectors and how their
money trails.
During the fall of 2013, Mind your
Privacy gathered and analyzed 23 of
the 28 annual reports of the European
Data Protection Agencies. Germany
was excluded from the analysis, as there
is no overarching report covering all 16
Länder.
The published infographic can be
found at www.mindyourprivacy.com/
download/privacy-infographic.pdf. It
looks at annual budgets and how Euro-pean
DPAs are financed. Italy has the
highest available budget together with
the UK, above 20 million euros annu-ally.
Italy is also the country with the
thickest annual report with over 230
pages while countries such as Portugal
and Denmark barely add to 20 pages,
counting covers and back pages!
These budgets were then compared
with overall population sizes as DPAs
are supposed to protect their citizens
from infringement related to their
European right to privacy.
As data scientists, we considered
that the budget should probably be
proportional to the size of the popula-tion
even though economic aspects also
come into play.
Indeed, tax schemes such as the
Double Irish-Dutch arrangement5 tend
to skew data protection matters: many
technology companies have their HQ
in Ireland or the Netherlands.
As one often hears that privacy is a
cost, we wanted to understand where
DPAs’ budgets came from, if their
annual budgets were balanced or if
indeed, they were loosing money.
Roughly speaking, money comes in
through fees and fines. Italy and the
UK are amongst the most prominent
countries when it comes to fees. Com-panies
collecting and processing per-sonal
data on behalf of their customers
need to register their data collection
files at the appropriate DPA. Mind
your Privacy found that one out of
every six agencies analyzed used this
financing model (17%).
Our research shows that out of the
23 DPAs analyzed, only three were
actually unable to balance their budg-ets.
The UK is one of them, signing off
their annual budget with a deficit. Five
were break-even, the other 15 held a
surplus of 25% or even 50% or more.
Extremes: the Czech Republic
shows a 32% deficit, probably due to
lack of information in their annual
report. On the opposite side of the
spectrum: Spain with a surplus of
135%. This confirmed Spain was
responsible for almost 80% of data
protection fines in the EU for 2011.
ANNuAL BuDgets: where Does
the moNey go?
The next step was to find out how this
OO =======^mofi=OMNQ PRIVACY LAWS & BUSINESS INTERNATIONAL REPORT © 2014 PRIVACY LAWS & BUSINESS

4. ANALYSIS
AMOUNT GAINED BY SANCTIONS PER COUNTRY
20.000.000
19.500.000
19.000.000
18.500.000
18.000.000
3.000.000
2.500.000
2.000.000
1.500.000
1.000.000
500.000
0
Spain
money was spent.
Hungary 36,000
Portugal 250 30,000
Switzerland 7,900
Spain
19.500.000 €
UK
3.120.000 €
1.500.000 €
644.000 €
UK
Italy
Ireland
Portugal
EU DPAs mainly process com-plaints
COUNTRIES WITH THE HIGHEST
and then conduct inspections.
RISK OF SANCTIONS
The next step is to sanction and collect
fines in case of severe negligence.
(total sanctions / # of inspections)
The United Kingdom deals with the
most complaints on a yearly basis. with
over 13,800 complaints, the UK
Amount gained
by sanctions
Netherlands
France
Czech Republic
Bulgaria
Romania
handles over double the complaints of
the countries next in line such as Spain
or France. Note that Ireland handles
one 10th of the UK amount.
Looking at yearly inspections, not
all complaints turn into inspections and
not all inspections emanate from com-plaints.
It would be safe to state,
however, that undergoing an inspection
involves more work than dealing with a
complaint.
while France and Italy hover at
around 400 inspections a year, the UK
reported 42 in total. On the other side
of the spectrum, Spain conducted over
5,000 inspections!
while one could imagine various
levels of inspections, involving more or
less manpower, the figures do seem to
point to curious facts:
1. The UK receives the most com-plaints,
double the amount of Spain
and France, which are the next two
countries.
2. The UK does very few inspections:
42 compared to a total of 5,389 for
Spain.
yet ultimately, if we were to follow
the money trail and the revenue factor
for DPAs, which is a cost factor for
companies infringing privacy rights, it
is actual sanctions we should focus on.
And that is where again, Spain
comes out as top country, again this
time in terms of yearly sanctions.
the hIghest rIsK of
sANctIoNs?
Companies involved in data collection
want to protect themselves against the
risk of getting sanctioned, as many
struggle to find ROI in Big Data. The
typical question they address their legal
counsel when it comes to privacy is: in
which country do I need to be extra
careful?
As a data scientist, I confess that
there is no easy answer to that. It
depends on other external factors that
need to be identified; often starting
with the sector your company is in.
The UK DPA looks carefully into
lenders and government agencies, due
to the amount of complaints they
receive about these sectors. Italy would
typically go after financial services and
credit information. Spain is into Telco,
without a doubt: it is their initial cash
cow. Spain is however also looking
closely at security companies. They
started fining under the EU Cookie-
Directive, probably ramping up
knowledge related to Internet Services.
Tip: If you are an international
company rolling out websites in Spain,
make sure your privacy policies align
with what you are effectively doing on
your website related to data collection!
21%
LOWER Netherlands
75%
Romania 38%
Italy
55%
United Kingdom
NUMBERRISK OF SANCTIONS PER COUNTRY
Spain
11%
Spain(*)
79%
Portugal
Sanctions
700
600
500
400
300
200
100
0
Spain
Portugal
572
Romania
Italy
Estonia
UK
Latvia
Slovakia
Netherlands
France
3
Czech Republic
Hungary
Bulgaria
Slovenia
MAXIMUM AMOUNT OF SANCTIONS
© 2014 PRIVACY LAWS & BUSINESS PRIVACY LAWS & BUSINESS INTERNATIONAL REPORT ^mofi=OMNQ OP
DPAS CAN HAND OUT
(in euros)

5. Spain
ANALYSIS
UK
Italy
Portugal
Ireland
COUNTRIES WITH THE HIGHEST
RISK OF SANCTIONS
(total sanctions / # of inspections)
55%
United Kingdom
LOWER Netherlands
RISK
11%
Spain(*)
79%
Portugal
In terms of numbers, if we were to
calculate the risk of sanctions by divid-ing
the number of sanctions by the
number of inspections, the UK contin-ues
to score high. They undergo few
NUMBER OF SANCTIONS PER COUNTRY
inspections indeed!
Spain
Additionally, countries are also
700
600
500
400
300
200
100
0
Spain
limited in the maximum amount of
sanctions they can impose.
Sanctions
572
So, while the highest average
amount of sanctions goes to the UK,
the ICO also enjoys the lowest propor-tion
of sanctions and inspections com-pared
to complaints from individuals.
Italy
Estonia
UK
Latvia
Slovakia
Netherlands
France
3
Czech Republic
Hungary
Bulgaria
Slovenia
Portugal
Romania
In a nutshell, the risk of sanctions
Netherlands
France
Czech Republic
Bulgaria
Romania
21%
75%
Romania 38%
Italy
depends which numbers you take to
calculate the risk factors per country.
when Google decided to bundle the
privacy policies of all their products into
one, their lawyers probably knew that
they would face an outcry in Europe.
They probably went through a rapid
risk analysis, summing up the adjacent
table. Counting loosely, adding legal
expenses, the amount doesn’t add up to
more than 3 million euros. In the light
of Big Data promises and seen from
Google’s perspective, wouldn’t you
also recommend they intertwine the
data collected through their services?
towArDs INcreAseD
europeAN coLLABorAtIoN?
The ICO certainly has the language
advantage when it comes to leading
matters related to Privacy in Europe.
Only over the last few years have
DPAs like the French CNIL been
more active in English, translating
parts of their communications.
while the United Kingdom has had
its fair share of EU frictions and mis-alignments,
one should also not forget
one major difference with the British
legal system that makes coherent
European discussions around privacy
very difficult: Common Law.
while continental Europeans talk
of Data Protection, the Anglo-Saxon
countries, including the United States
prefer the term privacy. Our Data Pro-tection
Agencies talk of fines, not class
actions. we seek overarching pan-
European Directives and Regulations
instead of sector based legislations
such as US HIPPA, COPPA, etc.
Evolution and progress however
remains possible. As we increasingly
evolve towards a global digitalized
world, where data can be transferred
without decay from one point of the
planet to another by the click of a
mouse, we are inevitably faced with
trying to align our views about where
Privacy and Data Protection should
next evolve.
Alignment is in progress, hopefully
fast enough to efficiently support the
upcoming Regulation.
MAXIMUM AMOUNT OF SANCTIONS
DPAS CAN HAND OUT
(in euros)
Min Max
UK 606,642
Spain 900 600,000
Czech Republic 204,000 408,000
Germany 50,000 300,000
Poland 270,000
Netherlands 250,000
France 150,000
Greece 146,000
Italy 6,000 120,000
Hungary 36,000
Portugal 250 30,000
Switzerland 7,900
AMOUNT GAINED BY SANCTIONS PER COUNTRY
AUTHOR
OQ=======^mofi=OMNQ PRIVACY LAWS & BUSINESS INTERNATIONAL REPORT © 2014 PRIVACY LAWS & BUSINESS
20.000.000
19.500.000
Aurélie Pols, Mind Your Privacy co-founder,
Spain
Email: aurelie@mindyourgroup.com
1. www.assemblee-nationale.fr/14/
cr-cloi/12-13/c1213002.asp
2. www.cnil.fr/english/news-and-events/
news/article/the-cnils-sanctions-
committee-issues-a-150-
000-EUR-monetary-penalty-to-google-inc/
3. www.theguardian.com/technology/
2014/feb/10/googles-link-french-privacy-
fine-crashes-watchdog-cnil.
http://www.theguardian.com/techn
ology/2014/feb/10/googles-link-french-privacy-
fine-crashes-watchdog-cnil
4. http://europa.eu/rapid/press-release_
MEMO-14-186_en.htm
5. www.wired.co.uk/news/archive/2013-
02/07/ico-against-eu-data-protection
6. http://en.wikipedia.org/wiki/
Double_Irish_arrangement
REFERENCES

6. Privacy Laws & Business also publishes the United Kingdom Report, a publication which ranges beyond
the Data Protection Act to include the Freedom of Information Act and related aspects of other laws.
Guarantee
If you are dissatisfied with the Report in any way, the
unexpired portion of your subscription will be repaid.
Subscription Packages
(vAT will be added to PDF subscriptions within the UK)
Single User Access
nn PL&B International Report Subscription £500
nn UK/International Reports Combined Subscription £800
Subscription Discounts
Discounts for 2-4 users or 5-25 users
Number of years: 2 (10% discount) or 3 (15% )
Go to www.privacylaws.com/subscribe
Special academic rate – 50% discount on above prices –
contact the PL&B office
Subscription Includes:
Six new issues of each report, on-line access to back issues,
special reports, and event documentation.
Data protection Notice: Privacy Laws & Business will not pass on
your details to third parties. we would like to occasionally send you
information on data protection law services. Please indicate if you do not
wish to contacted by: nn Post nn email nn Telephone
Name:
Position:
Organisation:
Address:
Postcode: Country:
Tel:
Email:
Signature:
Date:
Payment Options
Accounts Address (if different):
Postcode:
vAT Number:
nn Purchase Order
nn Cheque payable to: Privacy Laws & Business
nn Bank transfer direct to our account:
Privacy Laws & Business, Barclays Bank PLC,
355 Station Road, Harrow, Middlesex, HA1 2AN, UK.
Bank sort code: 20-37-16 Account No.: 20240664
IBAN: GB92 BARC 2037 1620 2406 64 SwIFTBIC: BARCGB22
Please send a copy of the transfer order with this form.
nn American Express nn MasterCard nn visa
Card Name:
Credit Card Number:
Expiry Date:
Signature: Date:
1. six reports a year
The Privacy Laws & Business (PL&B)
International Report, published
since 1987, provides you with a
comprehensive information service
on data protection and privacy issues.
we bring you the latest privacy
news from more than 100 countries –
new laws, bills, amendments, codes
and how they work in practice.
2. online search function
Subscribers can search the PL&B
website to access: back issues since
1998; special reports, slides, videos
and recordings from PL&B events.
3. regular e-news
Subscribers receive updates about
relevant news as and when it happens.
Choose international and/or United
Kingdom data protection news.
4. helpline enquiry service
Subscribers can request information
about the current status of legislation
and other information.
5. Index
Search a country, subject and
company index (1987-2014)
www.privacylaws.com/
Publications/report_index/
electronic option
The electronic PDF format enables
you to: receive the Report on
publication; click-through from email
and web addresses; and follow links
from the contents page to articles.
subscription Discounts
Discounts for 2-4 users or 5-25 users
and 2 years (10%) or 3 years (15%).
See www.privacylaws.com/subscribe
Privacy Laws & Business has clients in more
than 50 countries, including 25 of the Global
Top 50, 24 of Europe’s Top 50, 25 of the
UK’s Top 50 in the Financial Times lists.
Please return completed form to:
Subscriptions Dept, Privacy Laws & Business,
2nd Floor, Monument House, 215 Marsh Road,
Pinner, Middlesex HA5 5NE, UK
Tel +44 20 8868 9200 Fax: +44 20 8868 5215
e-mail: sales@privacylaws.com 24/04