ANZ Dashboard Digest

A new approach to notice and consent has been around for at least a couple of years now. The Microsoft whitepaper was released late 2012, and several subsequent books by privacy thought-leaders have developed this theme, which makes sense. Individuals ought to be given the opportunity to shape their profiles and to have a role in transactions involving their data, and notice and consent will no longer suffice. Equally, entities that stand to benefit from the information should protect their source if they wish to guarantee the future supply of valuable data.

If this approach is accepted, some of the stories this week indicate that there is still a long journey ahead. Whilst many entities still appear to treat privacy as a compliance issue, and one where boundaries should be pressed, others continue to succeed based on adoption of the new approach. It will be interesting to see how this divide plays out in terms of commercial success. That other old chestnut of balancing the right to information against the right to privacy also gets some play this week in the opinion piece titled “Privacy starts to bite.” To hear all about it and ask your own questions of the experts, make sure you book your place at our Privacy Awareness Week breakfast discussion on 6 May as debate on the Australian Law Reform Commission paper on serious invasions to privacy in a digital age continues.

A safe and very Happy Easter to you all,

Emma Hossack
President
IAPP ANZ

Top Australia and New Zealand Privacy News

PRIVACY LAW—AUSTRALIA

Expert: Businesses Not Ready for New Laws (December 19, 2013)

“At least half of corporate Australia will not be compliant with new privacy laws when they come into effect in March next year,” The Australian reports, citing comments from DLA Piper Intellectual Property and Technology Partner Alec Christie. “My feel is 50 to 60 percent of corporate Australia will not be compliant … and either it is a hangover from not taking the previous law that seriously, because there weren't penalties and fines, or it is just not on their to-do list," Christie said. Beginning 12 March, the Australian Privacy Principles will apply to businesses and federal government, and agencies and companies can be fined $1.7 million and individuals $340,000 for serious or repeated invasions of privacy.
Full Story

INFORMATION ACCESS—NEW ZEALAND

Ombudsman, Commissioner Find EQC Failed To Comply (December 19, 2013)

Chief Ombudsman Dame Beverley Wakem and Privacy Commissioner Marie Shroff have announced the Earthquake Commission (EQC) failed to comply with Official Information Act and Privacy Act obligations “by dragging its feet over information requests from quake affected homeowners,” The New Zealand Herald reports. In their report, Wakem and Shroff noted the EQC is working in an “extraordinary context … but EQC's customers in Canterbury are living in the aftermath of a major natural disaster.” The report makes 13 recommendations for information request improvements, “all of which have been accepted by EQC, which is now taking steps to implement them,” the report states.
Full Story

BEHAVIOURAL TARGETING—AUSTRALIA

CIS: Top ISPs Have Least-Compliant Privacy Policies (December 19, 2013)

According to the Centre for Internet Safety (CIS), websites “are actively tracking customers with long-term use of an average of 10 tracking cookies per site,” CSO reports, noting, CIS has “ranked sites by the compliance of their privacy policies with soon-to-be-tougher Australian privacy laws.” According to the report, the best privacy policy of those reviewed belonged to the Victorian government’s website; the worst came from a U.S.-based photo-sharing site, and the second- and third-worst policies came from ISPs iiNet and TPG. “While brevity is good with privacy policies because it may mean less verbiage and legalese, 313 words in iiNet's case and 269 in TPG's case didn't allow them to convey anything meaningful whatsoever to their customers,” the CIS review notes.
Full Story

DATA LOSS—NEW ZEALAND

FAQs Answered After PI on 120,000 Released (December 19, 2013)

Following Wellington City Council parking services contractor Tenix Solutions’ inadvertent release of personal information on 120,000 New Zealanders, Techday provides a list of FAQs and answers from the council. Among the information included is the type of information released—which included vehicle number plates, registered vehicles’ owners and contact addresses—who had access to the information and when the council learned of the breach. “The council claims the matter is in hand, and that they are confident the data wasn’t leaked further,” the report states.
Full Story

PRIVACY EDUCATION

IAPP Offers New Suite of Web Conferences (December 18, 2013)

The IAPP has announced an integrated suite of web conferences to allow members to access far more of this valuable content while providing an opportunity for certified members to acquire up to 14 free Continuing Privacy Education hours in 2014. This feature for The Privacy Advisor details the full schedule of programs, which includes the Insight Series, Access Series and Innovation Series. We hope you will take advantage of these new opportunities for education to help you with your day-to-day operations and to further augment the body of knowledge developed through CIPP or CIPM certification.
Full Story

PERSONAL PRIVACY

The Privacy Implications of Data-Driven Dating (December 17, 2013)

“When we talk about Big Data, we mostly refer to large-scale conglomerations of information about our collective behavior, aggregated by governments and big corporations,” writes Karen Levy of Princeton University. “But there’s another way data have become big: Our interpersonal connections are being infiltrated by data to an unprecedented degree, changing how we relate to one another,” she adds. This post for Privacy Perspectives looks into the range of apps and technology that allow individuals to gather, interpret and deploy data and not only be “passive data points about whom data is collected and aggregated.”
Full Story

PRIVACY ART

The Privacy Messages Sent Through Art (December 16, 2013)

Last year, approximately 4.7 million passwords were stolen from LinkedIn and leaked online. To many, it was a concerning development, but for one person, the event provided an opportunity to make art. Conceptual artist Aram Bartholl has unveiled “Forgot Your Password,” an exhibit featuring eight books containing all the passwords arranged in alphabetical order, now on display in Germany. This is just one of countless artistic creations riffing on privacy in the modern world. This Privacy Perspectives post looks into a variety of artistic expressions of privacy, including a look at the IAPP’s Art Gallery.
Full Story

PRIVACY LAW

U.S. and French Laws, EU Retention Directive Under Fire (December 16, 2013)

France is receiving criticism for a new law expanding government agencies’ access to Internet data; a European Court of Justice advocate has deemed the retention directive in violation of citizens’ fundamental privacy rights, and in the U.S., a petition to update the Electronic Communications Privacy Act has received more than 100,000 signatures. This week, Privacy Tracker reports on these developments as well as new administrative measures for Chinese credit reference agencies, U.S. states’ challenges to NSA surveillance and new fining powers for the Dutch data protection authority. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Bilton: “Anyone Who Can Watch You Will” (December 16, 2013)

In a feature for The New York Times, Nick Bilton writes that amidst reports of online tracking, “outfits like Snapchat have exploded onto the scene … holding out the promise that all those selfies, texts and e-mails will simply vanish … But the fact is, many services that claim to offer that rarest of digital commodities—privacy—don’t really deliver.” Princeton Prof. Edward Felten weighs in, cautioning, “Just because information is unavailable to you and you don’t see it doesn’t mean that it is not being captured, stored or even seen by someone else in transit.” The ACLU’s Ben Wizner suggests “change can happen” if “technologists that are disillusioned by the incessant tracking will use their skills to make surveillance more costly.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION

The EU and APEC: A Roadmap for Global Interoperability? (December 13, 2013)

The steady stream of media reports on the privacy differences between the EU and the U.S. would have you believe that cross-border data sharing is nothing but storm clouds over the Atlantic. There is, however, a bright spot for cross-border information flows if we turn our attention to the Pacific. In this exclusive for The Privacy Advisor, John Kropf, CIPP/US, CIPP/G, and Malcom Crompton, CIPP/US, look at data transfers in the APEC region, suggesting other regions take heed.
Full Story

ONLINE PRIVACY

Google To Cache All Gmail Images, To Some Confusion (December 13, 2013)

Google announced it will now cache all e-mail images by default to improve user experience and security as well as load-speed. The move has apparently caused a little confusion as to whether it affects user privacy. Ars Technica initially reported that e-mail marketers will no longer be able to receive information directly from Gmail users. ClickZ lists the six data points collected by marketers from e-mail display images. Ron Amadeo of Ars Technica wrote, “While this means improved privacy from e-mail marketers, Google will now be digging deeper than ever into your e-mails and literally modifying the contents.” However, Wired reports the move will make it easier for senders to know if an e-mail has been opened. According to an updated Ars Technica report, senders who embed a code into the e-mail will know more about which ones are viewed. MailChimp has also blogged about the changes and what they mean for users.
Full Story

PRIVACY LAW—AUSTRALIA

Amendment To Change Privacy Landscape (December 12, 2013)

Following the Australian government’s passage of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the privacy landscape will change significantly. As of March, a new set of Australian Privacy Principles will come into force, the information commissioner will see enhanced powers and credit reporting laws will change, reports Australian Security Magazine. A recent Gartner survey indicated businesses are aware and are rating privacy as a higher priority than they historically have.
Full Story

PERSONAL PRIVACY—AUSTRALIA

Aussie Authors Among Those Condemning Global Surveillance (December 12, 2013)

More than 500 of the world’s top writers, including 30 from Australia, have banded together to condemn the scale of government surveillance around the globe, The Guardian reports. The signatories, including five Nobel Prize winners and authors from 81 different nations, are urging the United Nations to create an international, digital bill of rights. The move comes just a day after eight of the globe’s largest tech companies called for limits to state surveillance. The recent revelations about the extent to which governments spy on individuals has undermined the human right to “remain unobserved and unmolested … This human right has been rendered null and void through abuse of technological developments by states and corporations for mass surveillance purposes,” the statement says. “A person under surveillance is no longer free; a society under surveillance is no longer a democracy,” it adds.
Full Story

BIOMETRICS—AUSTRALIA

Opinion: Say No to Scanning at Clubs (December 12, 2013)

In an op-ed for The Guardian, Asher Wolf criticises plans in New South Wales to introduce an ID-scanning program in 35 bars, citing “fierce condemnation from civil liberties groups and privacy advocates. The idea of handing the average bar staffer long-term responsibility over sensitive personal data is an immensely creepy proposition.” Wolf cited concerns that information stored in databases could be compromised, suggesting those concerns have “been overlooked in the rush to implement the scheme. Rather than ensure government oversight of the scheme, the program has been left up to the whims of a cabal of bar owners, police and private operators.”
Full Story

PERSONAL PRIVACY—SOUTH KOREA

FSS, FSC Being Investigated (December 12, 2013)

The Korea Times reports the National Human Rights Commission (NHRC) will investigate the Financial Services Commission and the Financial Supervisory Service over allegations the regulators “infringed on the rights of policyholders by allowing insurers to accumulate a wide range of information about them and their health.” An NHRC spokesman said the commission has accepted a petition from a civic group, noting, “Our team is currently conducting an initial probe into the possible rights violation cases. The probe will continue for several weeks.” Based on that investigation, the NHRC will determine whether to refer the case to law enforcement, the report states.
Full Story

BIG DATA

At DPC: Out with Notice and Consent, In with Data Use Regulation (December 12, 2013)
While there are few privacy principles more generally ingrained than that of notice and choice, Viktor Mayer-Schönberger suggests, “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” During his IAPP Europe Data Protection Congress keynote, Mayer-Schönberger called for “a new protection mechanism. A paradigm adjustment to ensure privacy in the age of Big Data” rather than giving up on privacy. “It’s not that the data is problematic,” he said, “but how it’s being used, especially in the context of complex data analysis.” This exclusive for The Privacy Advisor examines this idea of holding users accountable, whether they have persuaded a consumer to provide consent by clicking a button or not.

CLOUD COMPUTING

Snowden Leaks “Gumming Up” Cloud Industry (December 12, 2013)

Hightail CEO Brad Garlinghouse has said that the recent Edward Snowden revelations about government surveillance are “gumming up” the cloud computing industry, CNET News reports. Hightail offers businesses cloud storage and document tracking services, but new difficulties have shaken the cloud business, he said. “The Snowden effect has extended the sales cycle for non-U.S. companies looking at doing business with U.S. companies,” Garlinghouse said, adding, “There are more questions about data security, encryption and (security) key management.”
Full Story

GEO PRIVACY

Twitter Partnership Aims To Bolster Location Services (December 11, 2013)

According to MediaPost News, Twitter has reached a multi-year licensing agreement with Pitney Bowes in order to tap into its location data for mobile services. Twitter will use Pitney Bowes’ Location Intelligence to bolster location-sharing and possibly improve ad targeting, tweets and map locations. The technology can help combine “location data for tweets with buying patterns, behaviors, preferences and influencers,” the report states, as well as cross-reference tweets with nearby retailers and users.
Full Story

SURVEILLANCE

NSA Uses Ad-Tracking Tech To Locate Targets (December 11, 2013)

The Washington Post reports on leaked U.S. National Security Agency (NSA) slides that reveal the agency is “piggybacking” on tools used by Internet advertisers to locate potential targets for government hacking and surveillance. According to documents leaked by Edward Snowden, the NSA and the UK’s GCHQ use cookies to identify individuals. Specifically, they have used Google’s PREF cookies, which generally do not contain personal information but do include users’ e-mail addresses and numeric codes to identify their browsers, the report states. Additionally, the documents reveal that the NSA is using commercially collected data to help it locate mobile devices around the world. UC Berkeley Law Prof. Chris Hoofnagle said, “On a macro level, ‘we need to track everyone everywhere for advertising’ translates into ‘the government being able to track everyone everywhere’ … It’s hard to avoid.” (Registration may be required to access this story.)
Full Story

PRIVACY COMMUNITY

Looking for Love? Try a Privacy Conference (December 11, 2013)

It was winter of 2011, and Rob Gratchner just had to get to the IAPP's Data Protection Congress. His then-girlfriend, now Amanda Gratchner, was attending, and where better to ask her to marry him? But there was a hiccup. A big one. The Paris event was sold out. Despite his pleas to the powers that be at the IAPP, he couldn't get in. "I went to Paris by myself," Amanda says with a bit of a playful tone. But two months later, in Seattle, WA, at the spot where they first kissed, Rob proposed. In this feature, IAPP Associate Editor Angelique Carson, CIPP/US, talks with three couples who found their work in the privacy field—and their spouses, too.
Full Story

PRIVACY

Ten Steps to a Quality Privacy Program, Part Five: Building an Audit Plan (December 10, 2013)

In part five of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, explores building an audit plan, which she says is essential. A few basic steps can help you to prepare and simplify the process, she says. "Writing down all of the details will solidify your plan. You may not be audited right away, and people tend to forget everything that you have told them and panic when they hear the word 'audit.' Having this information written down will help keep everyone focused and moving the same direction," she writes.
Full Story

GEO PRIVACY

AVG Unveils WiFi Do-Not-Track App for Mobile (December 10, 2013)

With an influx of in-store mobile WiFi tracking, AVG Technologies has developed and rolled out a free smartphone app designed to block WiFi location tracking, Forbes reports. The new “DNT” feature is an add-on to AVG’s PrivacyFix app for Android. When downloaded, the technology prevents the mobile device from transmitting its MAC address. AVG Vice President of Privacy Products Jim Brock said that until retailers adopt “meaningful standards,” including transparency, or provide consumers with an opt-out mechanism, “consumers are better off shutting out this kind of tracking.” In October, Daily Dashboard reported on an initiative by the Wireless Registry and the Future of Privacy Forum to offer a brick-and-mortar Do-Not-Track registry for MAC addresses.
Full Story

PRIVACY COMMUNITY—NEW ZEALAND

John Edwards Is New Privacy Commissioner (December 10, 2013)

Wellington-based lawyer John Edwards has been named New Zealand’s new privacy commissioner, succeeding Marie Shroff, who served as the nation’s data protection authority for the past 10 years, reports The New Zealand Herald. As barrister and solicitor, Edwards has been practicing public law and policy for more than 20 years. Justice Minister Judith Collins said, “Mr. Edwards’ public- and private-sector experience give him a highly informed perspective on data privacy and data matching issues,” adding, “He is an acknowledged privacy expert and has a broad, practical understanding of the Privacy Act.” Shroff said the role of privacy commissioner has become increasingly demanding, the report states. Edwards will take up the new position in February.
Full Story

SURVEILLANCE

Tech Giants Urge Global Surveillance Reform (December 9, 2013)
A group of top technology companies has presented a plan and published an open letter to U.S. President Barack Obama and members of Congress urging global government surveillance reform. Aol, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo together have rolled out the website reformgovernmentsurveillance.com to express their collected belief “that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.” This exclusive for The Privacy Advisor looks at the five principles presented by the group and rounds up the latest coverage of this issue as well as reports on increased local law enforcement requests of cellphone data.

PRIVACY LAW

Regulators Across the Globe Taking Action (December 9, 2013)

From the U.S. Federal Trade Commission (FTC) to the Dutch Data Protection Authority (DPA), regulators are asserting themselves in consumer privacy issues. This Privacy Tracker weekly legislative roundup offers information on the FTC’s settlement with a flashlight app developer, as well as its plans for the upcoming year, and the Dutch DPA’s findings in its investigation of Google’s privacy policy. Meanwhile, the UK Information Commissioner’s Office announced that pending new pan-Europe legislation will result in significant budget losses, causing it to restructure; some are calling U.S. state attorneys general the most important privacy regulators in the country, and BC Information and Privacy Commissioner Elizabeth Denham is recommending the government amend the Freedom of Information and Protection of Privacy Act. (IAPP member login required.)
Full Story

PRIVACY PROFESSION

What Makes a Good Privacy Pro? (December 6, 2013)

“For companies striving to maintain compliance with myriad global data protection and privacy rules, and keeping up with future developments, the privacy professional is key,” writes Reed Elsevier Senior Director of Privacy and Data Protection Emma Butler. “Increasingly,” she points out, “companies seem to think that they have to hire qualified lawyers to fulfil this role, but is that really the case?” This Privacy Perspectives post looks into this question and asks if a business wants “a lawyer who just advises on the interpretation of the law and leaves decision-making on privacy and subsequent implementation to the business? Or do you want a practitioner who can drive the privacy program from the ground up, making key decisions and delivering privacy effectively across the business?”
Full Story

DATA LOSS

Breach May Hit 465,000 Cardholders; 2M Passwords Stolen (December 6, 2013)

Financial services giant JP Morgan Chase is alerting at least 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by cybertheives, Reuters reports. The cards were used by corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits, the report states. The company has located and fixed the vulnerability and has alerted law enforcement. CNN reports, in a separate incident, keylogging software that has been installed on countless computers around the world may have captured the login credentials of about two million users of 93,000 websites, including popular sites such as Google, Facebook, Twitter and Yahoo.
Full Story

TARGETING ADVERTISING

Twitter Starts Ad Targeting; Automaker Tracks from Showroom (December 6, 2013)

Social network Twitter is set to begin rolling out cookie-based targeted advertising to show users ads based on their browsing history, Reuters reports. Twitter now joins other large online businesses including Google, Facebook and Amazon in using cookies to help with targeted ads. Meanwhile, AdAge reports on one automaker’s attempt to better understand the shopping behavior of customers, not only in its showroom but in its competitors’ as well. By using the services of PlaceIQ, Mazda can target ads based on highly specific consumer data—including location. A Mazda representative said that PlaceIQ helps “us define behaviors based on real-world location … The value of this to us is we’re actually getting real-world (indicators).”
Full Story

BIG DATA

Data-Mining Software Biz Expects To Raise $100M (December 6, 2013)

The New York Times reports on a data-mining software company that, on Thursday, was expected to file a notice that it has raised $100 million, putting a $9 billion valuation on the company. Palantir Technologies, which started as a CIA-funded data-mining company, just three months ago raised $196 million on a $6 billion valuation. Its initial customer base had been U.S. defense and intelligence contractors, but it now generates 60 percent of its revenue from commercial sources. The money raised is expected to be used in corporate expansion. Palantir currently employs 1,200 individuals in the U.S., Australia, Britain and Singapore. The Privacy Advisor recently reported on the growth of Big Data privacy jobs. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRALIA

Privacy Amendments Carry Big Penalties (December 5, 2013)

In a feature for Mondaq, David Grace of Cooper Grace Ward advises businesses dealing with personal information to prepare to comply with Australia’s new privacy amendments. Noncompliance, he writes, carries the risk of “penalties of up to $1.7 million for breaches by corporations and up to $340,000 for breaches by individuals.” Grace continues on to describe how the Privacy Amendment (Enhancing Privacy Protection) Act 2012 “essentially rewrites the existing privacy laws,” citing the introduction of the 13 Australian Privacy Principles for the handling of personal information among other facets of the amendments and offers tips for compliance. The amendments will come into effect on 12 March.
Full Story

DATA LOSS—AUSTRALIA

Used Memory Sticks Containing PII Resold (December 5, 2013)

The Australian reports on a discovery by researchers of a “treasure trove” of confidential data on discarded memory sticks, including sensitive Australian government data. The researchers, who are part of the Security Research Institute at Perth’s Edith Cowan University, are warning sellers to beware that such sensitive data can remain on memory sticks. “The results show that sellers are sending memory cards with no evidence of erasure, poor attempts to erase data—or simply asking the buyer to erase the data prior to use,” the study states. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

OAIC Tables Annual eHealth Report (December 5, 2013)

The Office of the Australian Information Commissioner (OAIC) tabled its annual report of eHealth activities in Parliament on Tuesday. The report, which includes information about the OAIC’s compliance, enforcement, advice and liaison activities under the Personally Controlled Electronic Health Records (PCEHR) Act 2012 and the Healthcare Identifiers Act 2010, states, “Despite minimal enforcement activity during the year, the OAIC carried forward a full program of eHealth-related work.” Meanwhile, the Australian Medical Association is calling for the PCEHR system to be opt-out “to boost consumer participation.”
Full Story

PRIVACY LAW—AUSTRALIA

ALRC Examines Right To Be Forgotten; Privacy Tort (December 5, 2013)

The Australian Law Reform Commission (ALRC) is examining a "right to be forgotten” and “right and to erasure," News.com.au reports, noting “privacy groups are demanding the right to censor other people's posts as well, if they are embarrassing or defamatory.” However, Prof. Barbara McDonald, head of the ALRC review, noted such rights would only apply with consent.  “Where a person has given consent for something to go up on Facebook, they should be able to withdraw that consent,” she said, adding, “We can't give people the right to erase history.” Meanwhile, the nation’s mainstream newspaper publishers are refusing to assist the ALRC’s efforts to design a statutory privacy tort.
Full Story

FINANCIAL PRIVACY—NEW ZEALAND

Official Welcomes Draft FATCA Legislation (December 5, 2013)

Inland Revenue (IR) has released draft legislation to facilitate compliance with U.S. Foreign Account Tax Compliant Act (FATCA) regulations, Voxy reports, quoting PwC New Zealand FATCA Director Henry Risk, who said, "We welcome the release of the proposed legislation by IR and the New Zealand Government. It offers a solution to the Privacy Act issue.” The legislation will allow New Zealand financial institutions to meet FATCA reporting obligations without breaching the Privacy Act, the report states.
Full Story

BIG DATA—AUSTRALIA & NEW ZEALAND

Study: ANZ IT Professionals Not Confident About Orgs’ Policies (December 5, 2013)

CSO reports on a recent ISACA survey that found only 22 percent of responding IT professionals in Australian and New Zealand “are confident their enterprise has a policy regarding how it manages Big Data.” Conversely, 61 percent indicated their organisations had “no policy around Big Data—and a further 17 percent of Australasian IT professionals were unsure,” the report states. According to the survey of 2,013 IT professional, only five percent “say their enterprise is very prepared to ensure effective governance and privacy of Big Data.”
Full Story

SURVEILLANCE—AUSTRALIA & U.S.

Data-Gathering Concerns Persist (December 5, 2013)

The Washington Post reports on the U.S. National Security Agency’s (NSA) gathering of nearly five billion records per day on cellphone locations around the world. According to documents provided by former NSA contractor Edward Snowden, the documents’ details are stored in a vast database, and new tools to analyse the data have resulted in mass surveillance as the agency is capable of tracing cellphones globally and retracing movements. Meanwhile, civil liberties groups in Australia are calling for “sweeping changes” to limit warrantless phone and e-mail surveillance, and The Guardian reports Snowden documents indicate Australia offered to share intelligence with its intelligence partners. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—ASIA-PACIFIC

Summary of APPA Forum Common Themes (December 5, 2013)

The 40th Asia Pacific Privacy Authorities (APPA) Forum has come to a close and common themes emerged between the 16 member authorities, according to the organisation’s communique. “Challenges posed by new technologies, cross-border disclosure of personal information and cross-border enforcement” were key themes, as well as “Privacy research and education.” Also discussed were regulatory tools, ethical dilemmas, best-practice privacy regulation, Privacy by Design principles, global developments and the work of international networks.
Full Story

INFORMATION SECURITY—ASIA-PACIFIC

CTO: Biz Should Be “Open” About Device Policy (December 5, 2013)

McAfee Asia-Pacific Chief Technology Officer Sean Duca has said businesses should be “more open and candid” with employees and explore what tools and devices they prefer at work. Being candid, he said, can help prevent employees from circumventing protected corporate networks, thereby increasing risk. “As soon as you start to block (them), users will get savvy and see how they can get around it,” he added. According to McAfee-commissioned research, Australian and New Zealand employees ranked the highest—at 76 percent—for using at least one non-approved application, the report states. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—HONG KONG

Commissioner Rules Fitness Center Collected Excessive Data (December 5, 2013)

California Fitness has been fined by Privacy Commissioner for Personal Data Allan Chiang for breaching privacy law, the South China Morning Post reports. Following an investigation, Chiang’s office found the fitness chain put 220,000 customers’ personal details at risk by asking them to provide too much personal information and by storing copies of their identity cards. A data leak could have led to identity theft, Chiang said. “It is irresponsible for organizations to collect (detailed personal) data for identification and authentication purposes without seriously assessing the risk … of using alternative and less privacy-intrusive means.” (Registration may be required to access this story.)
Full Story

INFORMATION SECURITY

Researchers Create Malware Able To Jump Non-Connected Devices (December 4, 2013)

Ars Technica reports on newly developed malware capable of communicating between devices not connected to any active networks. The malware now threatens the “air gap” often used to protect data, the report states. Researchers were able to use the built-in microphones and speakers within PCs to establish communication via inaudible audio signals within a distance of 65 feet. The proof-of-concept software has been outlined in the Journal of Communications. In the report, the researchers said, “The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered.”
Full Story

DATA LOSS

Roundup: Breaches Abound; Outcomes Announced (December 3, 2013)

Across the globe, reports of data breaches—and the outcomes of past data loss incidents—continue to make headlines. This roundup for The Privacy Advisor examines some of the most recent breach headlines, including a breach at Arizona’s Maricopa County Community College District in the U.S. that has cost the district millions and required it to notify “nearly 2.5 million students, former students, employees and vendors that hackers may have compromised their personal information,” as well as incidents involving Vodafone Iceland, the Australian Broadcasting Corporation and a UK council. The report also highlights recent legal and data protection authority actions from across the globe.
Full Story

ONLINE PRIVACY

Social Media Guru Deletes Facebook Account, Citing Need To “Take a Stand” (December 3, 2013)

Danny Brown, co-author of Influence Marketing: How To Create, Manage and Measure Brand Influencers in Social Media Marketing and author of HubSpot’s “#1 marketing blog in the world,” announced yesterday he has deleted his personal Facebook account because “at some point, we need to take a stand for our privacy.” Admitting he understands the irony of a marketer who uses social media data as a key part of strategic planning complaining about Facebook privacy, Brown says he simply can’t trust the product any longer and, as a marketer, no longer even trusts that the user data is being created by the users themselves. He understands the concept of “being the product” but now feels “it’s essentially a target on your data forehead, and hunting season is always open.”
Full Story

ONLINE PRIVACY

New Study Uses Bots To Track the Trackers (December 3, 2013)

Forbes reports on a new study led by researchers at Princeton University and Belgium’s KU Leuven to discover patterns of discrimination based on traits such as affluence levels. Advertising and marketing firms often keep their tracking methods obscure, making it difficult for privacy advocates to demonstrate how the commercialization of online data can isolate consumers into their own “filter bubbles.” To circumvent that, the researchers have released bots that mimic real consumers—including fake profile traits such as age, gender, affluence level, location and interests—to come to a better understanding of how online businesses track, categorize and possibly discriminate against individuals. The research is being led by Princeton Prof. Arvind Narayanan—one of the early progenitors of Do Not Track. A spokesman for the U.S. Federal Trade Commission said, “We welcome research into privacy and technology issues, and we look forward to reviewing the research results.”
Full Story

PRIVACY LAW

Safe Harbor Revelations and Global Developments (December 2, 2013)
This week’s Privacy Tracker legislative roundup includes the IAPP’s coverage of the European Commission’s report critiquing the EU-U.S. Safe Harbor agreement and offering the U.S. 13 ways to save it, and insight from Eduardo Ustaran, CIPP/E, on the report. You’ll also find information on the United Nation’s approval of an unlawful surveillance resolution, why India may have to wait a little longer for a privacy law and South Africa’s new law. In the U.S., more regions are considering social media laws and DNA databases, and courts have decided cases relating to COPPA and consumer privacy.

BIOMETRICS

Advancements in Facial Recognition Raise Privacy Questions (December 2, 2013)

Facial recognition technology is rapidly evolving, “using frame-by-frame video analysis to read subtle muscular changes that flash across our faces in milliseconds, signaling emotions like happiness, sadness and disgust,” The New York Times reports. While there may be benefits to such face-reading software—such as recognizing confusion on the face of an online student and offering tutoring options—one U.S. privacy attorney notes such technology raises concerns. “The unguarded expressions that flit across our faces aren’t always the ones we want other people to readily identify,” Ginger McCall said, adding, “Private companies are developing this technology now. But you can be sure government agencies, especially in security, are taking an interest, too.” (Registration may be required to access this story.)
Full Story