Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

DATA PROTECTION

Reding Reveals Views on BCRs (November 30, 2011)
During a keynote address at the IAPP Europe Data Protection Congress on Tuesday, EU Vice-President Viviane Reding offered a glimpse of her views on binding corporate rules (BCRs) as an instrument for data transfers. Reding described BCRs as a "smart tool" in need of improvement. She proposed three strategies to improve BCRs' effectiveness--simplification, consistent enforcement and innovation.

PRIVACY LAW—U.S.

Facebook, Experts Respond to FTC Settlement (November 30, 2011)

In a blog post, Facebook founder and CEO Mark Zuckerberg announced the creation of two new chief privacy officer positions as part of an effort to address a proposed eight-point settlement with the Federal Trade Commission (FTC). Erin Egan has been named chief privacy officer, policy, and will lead the company's "engagement in the global public discourse and debate about online privacy and ensure that feedback from regulators, legislators, experts and academics from around the world is incorporated into Facebook's practices and policies." Michael Richter has been named chief privacy officer, products, and will ensure that Facebook's "principles of user control, privacy by design and transparency are integrated consistently" into the company's product development. Meanwhile, Computerworld reports that some experts do not think the FTC settlement was robust enough. One analyst said that as long as the company adheres to the FTC's policies, "they can now duck any outside criticism about the privacy policies by pointing to the FTC and saying, 'Hey, we're doing everything they've told us to do.'"
Full Story

PRIVACY LAW—AUSTRALIA

Commissioner: Privacy Act Limited, Needs Revision (November 30, 2011)

Australia's information commissioner is calling for an update to the nation's Privacy Act, suggesting amendments that would increase the scope of entities and practices it covers and add a breach notification requirement, reports Computerworld Australia. In a submission to the government's Issues Paper exploring changes to the Privacy Act, the information commissioner's office says technological advancements mean an increased likelihood for large-scale breaches and a greater impact resulting from them, adding, "consideration should be given to providing for additional ways of protecting individuals' privacy." Telecommunications company Telstra also submitted comments, arguing that including a statutory cause of action for privacy would impede freedom of communication and discourage online business.
Full Story

ONLINE PRIVACY—U.S.

Markey Displeased with Response to Inquiry (November 30, 2011)

Rep. Ed Markey (D-MA) is displeased with Amazon's response to his inquiry about its plans for the data collected by one of its browsers, MediaPost News reports. Markey recently wrote to the company with questions about its Silk browser and Kindle Fire, to which the company replied that "Customer information is an important part of our business and an important driver of customer experience and future invention." Markey said the response isn't sufficient and does not provide enough detail. "Amazon is collecting a massive amount of information about Kindle Fire users, and it has a responsibility to be transparent with its customers," he said.
Full Story

HEALTHCARE PRIVACY—U.S.

Report Exmaines Patient Access to EHRs (November 30, 2011)

InformationWeek reports on a review in the Journal of the American Medical Informatics Association that looks at whether patients should have access to their electronic health records (EHRs). Among the barriers to granting such access are costs; the fragmentation of data among health organizations; lack of understanding about privacy concerns, and disagreement over who controls the data--the provider or the patient, the report states. Under the Health Insurance Portability and Accountability Act, patients can access their own records, but they are generally printed even if they originated in electronic form, the report states. 
Full Story

ONLINE PRIVACY—U.S.

Privacy-Focused Startup Gains Momentum (November 30, 2011)

A startup that has created a blog option that focuses on privacy and controlled sharing is adding 15,000 users daily, the San Francisco Chronicle reports. Posterous has seen its service grow to 3.9 million members, the report states, with the startup's private blogging spaces four times more active than its public ones. Founder Sachin Agarwal said, "We've really seen both our existing users and new users latch on to the idea of controlled sharing." The company has also polled 2,014 social network users, finding that most do not understand social network privacy controls and the majority "would share more online if they could better control who could see what they're sharing," the report states.
Full Story

PRIVACY LAW—U.S.

Opinion: Technology Is Eroding Privacy (November 30, 2011)

While the U.S. Supreme Court considers a case on whether GPS technology can be used to track suspects without a warrant, people across the country volunteer their location information through GPS-enabled applications on mobile devices, KDAF reports. "When you put these apps on the phone, you make the decision to let people in on your movements," says one cybersecurity expert who, according to the report, believes "many Americans are in a mindset of, bit by bit, allowing privacy expectations to wilt away." A Texas defense attorney says Americans' privacy is under attack. "There will be a day when law enforcement has the ability to turn on your cell phone and begin recording... it will be a slow erosion of rights," he opines.
Full Story

PRIVACY LAW—U.S.

Facebook Agrees to Settle with FTC (November 29, 2011)
Facebook has agreed to settle charges levied by the Federal Trade Commission (FTC) that it deceived users about keeping their personal information private. According to an FTC press release, the proposed settlement would prevent the company "from making any further deceptive privacy claims, requires that the company get consumers' approval before it changes the way it shares their data and requires that it obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years."

PRIVACY LAW—EU

Reding: Streamline ISP Regulations (November 29, 2011)

In a speech on Monday, European Commission Vice President Viviane Reding called for a streamlined approach to how Internet service providers (ISPs) collect personal information, ReadWriteWeb reports. Instead of requiring ISPs to follow the EU's 27 different national data protection laws, new guidelines would require an ISP to follow the laws found in its native country. In text provided to ReadWriteWeb, Reding said that ISPs "need--the same as customers--to have a 'one-stop-shop' when it comes to data protection matters--one law and one single data protection authority for each business; that of the Member State in which they have their main establishment." Meanwhile, industry groups have warned the EU that "overly strict, static and bureaucratic data protection rules will have a detrimental impact on Europe's economy."   
Full Story

PRIVACY LAW—CAYMAN ISLANDS

Data Protection Framework Would Seek Adequacy (November 29, 2011)

The government of the Cayman Islands is currently reviewing draft legislation for a robust data protection framework. Deputy Information Commissioner Jan Liebaers recently told the Daily Dashboard that the draft legislation "is modeled after the EU Data Protection Directive (95/46/EC) and the UK's Data Protection Act 1998" and that the driving force behind the framework is to gain adequacy status from the European Union. Liebaers said that gaining adequacy would not only promote more fluid data flows but also "strengthen links between businesses in the Caymans and the EU as well as multinationals which do business in the Cayman Islands." The Cayman Islands Cabinet is currently reviewing the draft and is expected to release its findings for public consultation soon.   
Full Story

PRIVACY LAW—U.S.

Class-Action Could Set Encryption Standard, Sen. Wants Investigation (November 29, 2011)

Modern Healthcare reports on the class-action lawsuit filed by a patient of Sutter Medical Foundation claiming that the company failed to properly protect patient data. A stolen computer contained password-protected but unencrypted data on about 4.3 million people. The suit seeks $1,000 per breached patient record. At issue is whether it is negligent for a provider not to encrypt identifiable patient data. If the court decides "yes," says one expert, "It will create an enormous precedence as a standard of care." Meanwhile, Sen. Lisa Murkowski (R-AK) has called for an investigation into the recent TRICARE breach. She has also introduced an amendment calling for a risk assessment of third-party access to the stolen data. 
Full Story

GEO PRIVACY—UK & U.S.

Tracking Shoppers’ Phones Raises Concerns (November 29, 2011)

Two U.S. malls that had planned to track shoppers via their mobile phones have scrapped their plans after hearing concerns from one senator's office, CNN reports. Sen. Charles Schumer (D-NY) said the tracking should have been opt-in only, noting, "A shopper's personal cell phone should not be used by a third party as a tracking device by retailers who are seeking to determine holiday shopping patterns." Meanwhile, the Daily Mail reports that shops in the UK are tracking shoppers via mobile phones and other technologies in ways that raise "serious questions about privacy."
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Class-Action on Data Sharing (November 29, 2011)

A federal judge has dismissed a class-action lawsuit against Facebook and Zynga alleging the companies leaked users' personal data to advertisers, Media Post reports. Consumers didn't prove they'd been harmed by the disclosures, and transmitting data to advertisers once users click on an ad doesn't violate U.S. law on electronic data, ruled U.S. District Court Judge James Ware. Meanwhile, Forbes reports on the difficulty of proving "harm" in privacy lawsuits. Plaintiffs generally rely on emotional or economic injury, but judges have been resistant and often dismiss the suits. In the U.S., harm must be "concrete...fairly traceable to the defendant's actions and likely redressed by a favorable decision," the report states.
Full Story

PRIVACY LAW—ITALY

DPA Imposes Direct Marketing Limitation (November 29, 2011)

Personal data registered in a professional telephone directory cannot be used to propose commercial products or relevant offers without the express consent of the interested professional or other specific conditions. By means of an ad hoc decision, Italy's data protection authority, the Garante, has forbidden a telephone company to use the personal data of a lawyer to call him to promote its telephone products since the direct marketing operation was neither covered by the express consent of the lawyer nor focused on products directly connected to the legal profession. (Article in Italian.)
Full Story

ONLINE PRIVACY

Twitter Acquires Whisper Systems (November 29, 2011)

The online messaging company Twitter has acquired Whisper Systems, a technology company that developed a software suite to protect people's cellphone and text communications from being obtained by third parties, reports The Wall Street Journal. The move has some questioning what plans Twitter has for the company and others disappointed that Whisper Systems' current services--which have been used by activist groups to organize--have been temporarily shut down. Twitter said in a statement that Whisper Systems' founders will join the company, "bringing their technology and security expertise to Twitter's products and services." (Registration may be required to access this story.)  
Full Story

Cayman Islands working toward data protection framework (November 29, 2011)

By Jedidiah Bracy, CIPP

The government of the Cayman Islands is currently reviewing draft legislation that, if passed, would institute a robust data protection framework. The draft legislation comes four years after the Cayman Islands enacted the Freedom of Information (FOI) Law and will soon be available for public comment.

Sponsored by Cayman Island Attorney General Samuel Bulgin, the Cayman Island Data Protection Law (DPL) proposal has been drafted by the Data Protection Working Group (DPWG)—a group of public- and private-sector representatives—and submitted to the Cayman Islands Cabinet for review.

The DPL “is modeled after the EU Data Protection Directive (95/46/EC) and on the UK’s Data Protection Act 1998,” says Deputy Information Commissioner Jan Liebaers. “It is structured more concisely than its predecessors, with consecutive parts dealing with principles, rights of data subjects, notification responsibilities of data controllers, exemptions, functions of the information commissioner and enforcement.”

The draft contains many of the same components that make up the European framework, yet, Liebaers also points out that because changes to the EU Data Protection Directive are imminent and the European Commission has voiced criticism of the UK Data Protection Act for non-compliance, “it was necessary to progressively modify the source legislation in significant ways after a careful analysis of the available literature on the subject.”

According to Liebaers, the analysis “has resulted in what we consider significant improvements” in several areas. The proposal has more “robust basic definitions” for concepts like personal data, sensitive personal data and consent. It would also extend “basic rights” to data subjects; implement data breach notification requirements for data controllers; create “clearer and more extended enforcement powers” for the information commissioner, and provide “generally, a more concise and logical structure.”

Additionally, the proposal would place the DPL under the “auspices of the existing freedom of information commissioner. “As deputy information commissioner,” notes Liebaers, “I will likely play a central role in the planning and implementation of the new law and in the enforcement once it comes into effect.”

Liebaers says the driving force behind the draft bill is to gain adequacy status from the European Commission. Attaining adequacy, he says, would not only allow more fluid data flows, but also “strengthen links...

PRIVACY LAW—EU

Court of Justice Rules on ISPs, Processing Personal Data (November 28, 2011)
In separate rulings this past week, the European Court of Justice has determined two key issues related to data protection. In the SCARLET EXTENDED (BELGACOM GROUP) v SABAM case, which dates back to 2004, the European Court of Justice found that a requirement for a Belgian ISP to install a general filtering system was prohibited by Article 15(1) of the E-Commerce Directive.

GEO PRIVACY—U.S.

Malls Track Shoppers’ Cell Phones (November 28, 2011)

CNN reports on a move by two U.S. malls to track shoppers by monitoring mobile phone signals. The malls have posted signs notifying customers and are collecting anonymous data only, the report states, to answer such questions as how many shoppers who visit a particular department store also visit a specific coffee shop. Speaking to potential privacy concerns, one mall executive said they will not track singular shoppers. "The system monitors patterns of movement. We can see, like migrating birds, where people are going to," she said. Customers can opt out of the tracking by turning off their phones, the report states.   
Full Story

PRIVACY LAW—U.S.

SCOTUS To Hear Key Privacy Case (November 28, 2011)

International Business Times reports on several key Supreme Court cases that are currently on the docket, including one that could affect "how privacy violations by the government can be redressed." FAA v. Cooper will be argued before the courts on November 30. The Ninth Circuit Court of Appeals held that a pilot suffered embarrassment and mental distress after the Social Security Administration disclosed the individual's health benefits records to the Federal Aviation Administration (FAA) without the pilot's consent during an FAA investigation. The FAA argues that because the suit has been filed against a government agency, the meaning and scope of the Privacy Act "should be narrowly viewed to cover damages that only result in actual money being lost," the report states. 
Full Story

PRIVACY LAW—EU

Reding: More Transparency, More Harmonization (November 28, 2011)

European Commission Vice President Viviane Reding said in a speech on Monday that European Union (EU) data protection authorities need increased powers to enforce privacy legislation, Bloomberg reports. Reding also called for more harmonization between the EU's 27 member nations. "We need legal certainty and a level playing field for all businesses that handle personal data of our citizens," she said. The Telegraph reports that Facebook could face more scrutiny with the new EU Directive. Reding said, "I call on service providers--especially social media sites--to be more transparent about how they operate...Consumers in Europe should see their data strongly protected, regardless of the EU country where they live in and regardless of the country in which companies which process their personal data are established." The Article 29 Working Party is expected to meet soon to discuss the "state of play" of the social networking site. 
Full Story

ONLINE PRIVACY—U.S.

Tech Companies Band Together for Updated Law (November 28, 2011)

NPR reports that some major tech companies are looking to Congress to update the Electronic Communications Privacy Act of 1986 (ECPA) to give it more clarity and consistency. Under ECPA, authorities don't need a warrant to access older e-mails and stored content has different protections than communications--which can be a confusing distinction. Jim Dempsey of the Center for Democracy and Technology says the industry has a financial interest in clarifying the law; "their business depends upon the trust of their consumers," he says, adding, "they're constantly facing from Europeans and from others...'our data is not secure if we trust it to an American company.'"    
Full Story

PRIVACY LAW—U.S.

Settlement May Incite More Suits, Official Calls for National Notification Standards (November 28, 2011)

Dark Reading reports on a recently proposed settlement that may result in an additional flurry of data breach lawsuits. The proposed settlement would award one RockYou customer $2,000. RockYou's 32 million customers were affected in a 2009 data breach. The company allegedly stored unencrypted user account data in its database, used only five-character passwords and used e-mail to send passwords out. The proposed settlement may "prop the door open for more lawsuits," the report states. Meanwhile, U.S. Deputy Attorney General James Cole opines in The Sacramento Bee that Congress should act promptly to "require companies to comply with a national data breach notification requirement and hold them accountable to consumers and the marketplace."
Full Story

SURVIELLANCE—CHINA

Taxi Cameras Irk Some, Please Others (November 28, 2011)

Audio and video recorders installed in about 6,000 Nanjing taxis are sparking privacy concerns in some, but others argue the recorders will help protect public safety. China Daily reports that while audio recordings will be stored in a data collector in the cab, images will be transferred to the police and transportation management authorities. "The only people who can have access to these recordings are the police and transportation management authorities who have proven they have reasons for dealing with public safety or with passengers' complaints," said Xu Hong of the Nanjing Passenger Transportation Management Office. Similar systems have been put in place in New Zealand, also eliciting privacy concerns.
Full Story

HEALTHCARE PRIVACY—U.S.

Medical Data Protection Especially Risky (November 28, 2011)

Business Insurance reports on the difficulties healthcare institutions face in protecting customer data and preventing breaches. Healthcare data is at high risk for breaches because it is widely disseminated amongst multiple institutions and there is a growing black market for medical information, the report states. Institutions must also comply with various state and federal regulations according to the patient's jurisdiction--not the institution's. One legal expert says breach prevention competes with other priorities and so must "begin with the C-suite," adding that having top executives concerned about data protection "goes a very long way."
Full Story

ONLINE PRIVACY

Exploring the Privacy Button (November 28, 2011)

In a podcast, The New York Times' media desk reporter, Tanzina Vega, discusses one company's attempt to offer its users an easy-to-use method to control their online data while exploring how the One Click Privacy button works. The new control, made by BrightTag, comes out while the Federal Trade Commission and the World Wide Web Consortium work on the creation of do-not-track standards. (Registration may be required to access this story.)
Full Story

EU Court of Justice Rules ISP Filtering Inconsistent with Law (November 28, 2011)

 

By Jennifer L. Saunders, CIPP

The European Court of Justice ruled on November 24 in the SCARLET EXTENDED (BELGACOM GROUP) v. SABAM case that requiring Internet service providers (ISPs) to use systems “for filtering and blocking electronic communications is inconsistent with EU law,” as Bird & Bird LLP describes it in a recent review of the decision.

The decision in the case, which dates to 2004 and involved a Belgian company that managed copyrights, means that ISPs “can't be made to install monitoring systems to prevent illegal downloads of copyrighted material,” The Wall Street Journal reports.

The court found that the injunction imposed on the Belgian ISP to install a general filtering system
“amounts to a general monitoring obligation, which is prohibited by Article 15(1) of the E-Commerce Directive,” the Bird & Bird report notes, adding the court found the injunction did not “strike a fair balance between the protection of intellectual property rights and the protection of the fundamental rights of individuals who are affected by such measures…and would infringe the fundamental rights of the ISP's customers, namely their freedom to receive or impart information and their right to protection of their personal data.”

Benoit Van Asbroeck, Maud Cock and Laurent Masson of Bird & Bird Brussels acted for Belgian ISP Scarlet from the appeal stage onwards, with Van Asbroeck conducting the pleadings before the court. Van Asbroeck shared his perspective on the ruling with the Daily Dashboard, describing it as a “seminal judgment” on multiple levels.

The decision, he explained, states “clearly that IP rights are not absolute but have to be balanced against other fundamental rights. Among those rights the court lists rights of privacy, free speech but also—and this is new in EUCJ case law—the freedom to conduct business. The addition of this right will make it more difficult in the future for IP rightholders to seek injunctions against ISPs which equipment are used for breaching IPR. Indeed, the court held that the injunction to implement a filtering device would be a serious infringement of the freedom of the ISP to conduct its business since it would require that ISP to install a complicated, costly permanent computer system at its own expense.”

With that, he notes, the court has confirmed that sought injunctions “should pass a proportionality test”—and neither be too complex nor too costly.

The court also made it clear that the use of a filtering device is...

The European Court of Justice Finds Spain in Breach of Article 7 (November 28, 2011)

 

By Ariane Mole

Partner, Bird & Bird

The European Court of Justice judged 24 November that Spain had not transposed correctly the provisions concerning the balance of interests of EC Directive 95/46 on personal data protection and that consequently Spanish law is in breach of Article 7(f) of the directive.

The disputes in the main proceedings and the questions referred for a preliminary ruling were the following.

Article 7 of Directive 95/46 provides a list of alternative conditions that must be fulfilled in order for the processing of personal data to be lawful. Among such conditions are the data subject’s consent, or the "balance of interests"—Article 7(f)—which provides that the processing of personal data is lawful if it is “necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection.”

However, according to the transposition in Spain, in the absence of the data subject’s consent, and in order to allow processing of personal data necessary to pursue a legitimate interest of the data controller, Spanish law requires not only that the fundamental rights and freedoms of the data subject be respected, but also that the data appear in public sources (Organic Law 15/1999 and Royal Decree 1720/2007).

As a consequence, such requirement prevents any data controller to process data necessary to pursue its legitimate interest if such data do not appear in public sources, and thereby forces in practice all Spanish data controllers to obtain the data subjects' consents.

The Spanish National Association of Credit Institutions (Asociación Nacional de Establecimientos Financieros de Crédito—ASNEF), on the one hand, and the Spanish Federation for Electronic Commerce and Direct Marketing (Federación de Comercio Electrónico y Marketing Directo—FECEMD), on the other hand, have brought administrative proceedings challenging such transposition. In particular, ASNEF and FECEMD took the view that Spanish law adds a condition which does not exist in Directive 95/46. The Spanish Supreme Court considered that the merits of the actions brought by ASNEF and FECEMD depended on the interpretation by the European Court of Justice of Article 7(f) of Directive 95/46. Accordingly, it stated that, if the European Court of Justice were to hold that Member States are...

PRIVACY LAW—U.S.

Class-Action Targets Alleged DPPA Violations (November 23, 2011)
A class-action lawsuit has been filed against Best Buy Corporation on allegations that it violates the Drivers' Privacy Protection Act (DPPA). The law firm Leopold Kuvin PA filed the suit in the Southern District Court of Florida on Tuesday. The firm says that Best Buy's practice of collecting and retaining data from the driver's licenses of customers who return items is not a "normal course of business" use and therefore violates the DPPA.

TRAVELERS’ PRIVACY—U.S.

TSA Describes Scanners’ New Privacy Filters (November 23, 2011)

Speaking with CNN in advance of this week's Thanksgiving holiday travel, Transportation Security Administration (TSA) Administrator John Pistole described some of the privacy-focused changes travelers may encounter, such as fewer pat-downs and "the use of the advanced imaging technology--the scanners--that have privacy filters this year." He explained that about half of the TSA's scanners "have these privacy filters built in, and so as (people) go through these scanners, they can actually turn and look and see a generic outline of a person" rather than a detailed scan of each individual.
Full Story

DATA PROTECTION—FRANCE

CNIL Issues Annual Report (November 23, 2011)

In its Annual Activity Report for 2010, the French Data Protection Authority (CNIL) outlines its recommendations on key topics including the revised EU Data Protection Directive, the right to be forgotten and the creation of binding international data protection regulations, reports Hunton & Williams' Privacy and Information Security Law Blog. The report also notes that the CNIL's powers were strengthened in the last year--it "issued its first injunctions to stop data processing activities" and "levied a record fine against Google," the report states. The authority also reviewed the implementation of 55 surveillance cameras and conducted 308 onsite inspections--up 14 percent from last year.  
Full Story

PRIVACY LAW—EU

EDPS Calls for Strengthened IMI Data Protection Framework (November 23, 2011)

In an opinion released on Tuesday, the European Data Protection Supervisor (EDPS) called for improved data protection standards for the Internal Markets Information System (IMI), eGovmonitor reports. Recognizing the need for flexibility "to cover administrative cooperation in different policy areas," the EDPS says the flexibility should also bring with it legal certainty. According to the report, the EDPS recommends that foreseeable IMI components should be clarified and new functionalities should undergo safeguards such as a privacy impact assessment or a consultation with the EDPS or national data protection authorities. An EDPS spokesman said, "The EDPS calls attention to two key challenges: the need to ensure consistency in the legal framework, while respecting diversity, and the need to balance flexibility and legal certainty."  
Full Story

PRIVACY LAW—U.S.

Negligence Suit Filed Over Medical Records Breach (November 23, 2011)

A patient of Sutter Medical Foundation has filed a class-action lawsuit in Sacramento Superior Court after the personal information of more than four million Sutter patients was compromised in a breach. The suit claims the company failed to properly protect patient data contained on a password-protected--but not encrypted--computer that was stolen and that Sutter Health did not notify affected patients in the required time allotment, reports The Sacramento Bee. "Sutter should've had that under lock and key," said an attorney with the filing firm, adding, "they have a financial interest to make sure security is of the utmost importance." 
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Roxon Proposes Legislation for e-Health System (November 23, 2011)

Health Minister Nicola Roxon has introduced to Parliament legislation for Australia's personally controlled e-health records system that would protect patient data under the Privacy Act and includes strong penalties for breaches. However, The Australian reports that differing state and territorial health and privacy laws would still apply, prompting Privacy Commissioner Timothy Pilgrim to ask for greater auditing and investigatory powers. The bill also gives the federal government certain exemptions--drawing criticism from some--but the bill states, "If the Crown in any of its capacities does not comply with its obligations under this bill, other remedies are potentially available," including being "investigated by the information commissioner under the Privacy Act." (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Study Will Measure Public Sentiment on EMRs (November 23, 2011)

The Department of Health and Human Services Office of the National Coordinator (ONC) for Health Information Technology wants to know more about the public's attitude toward electronic medical records (EMRs). American Medical News reports that the ONC will embark on a five-year study to find out how many people "are concerned about the privacy and security of EMRs...have kept any part of their medical history from their doctor due to privacy concerns" or are concerned about the electronic transfer of their medical information. The ONC will survey 2,000 individuals annually beginning in 2012, the report states.  
Full Story

ONLINE PRIVACY

Privacy-Focused Browser Extension Released (November 23, 2011)

PCWorld reports on a team of European and U.S.-based privacy researchers and product designers that has released "a browser-based implementation of Privicons, a project that aims to provide users with a simple method of expressing their expectations of privacy when sending e-mail." The "Privicons" are six icons matched with instructions such as "don't attribute" or "keep private" that users can add to their e-mails "to instruct recipients about how to handle a message or its content," the report states. Project proponents note it is based on user choice rather than the technological enforcement used for most e-mail privacy efforts. 
Full Story

DATA PROTECTION

Data Breach Expert Discusses Trends (November 23, 2011)

Privacy expert Lucy Thomson, CIPP/G, discusses current trends in data breach notification rules and regulations in this GovInfoSecurity podcast. Many governments are strengthening laws, Thomson says, but discrepancies in breach notification laws are particularly evident in the area of encryption standards. "There are six or seven different standards that states use, so global businesses have to sort through inconsistencies and ambiguities." Thomson says that she advises companies to "follow the strictest standards, and then they'll be safe."  
Full Story

TRAVELERS’ PRIVACY—U.S. & EU

Passenger Name Record Deal Signed (November 22, 2011)
AFP reports that the U.S. and the European Union (EU) have signed a draft agreement on sharing passenger information for flights between both regions. The pact must now be approved by the European Council and European Parliament. EU Commissioner for Home Affairs Cecilia Malmström said the agreement "contains robust safeguards for European citizens' privacy, without undermining the effectiveness of the agreement in terms of EU and U.S. security."

FINANCIAL PRIVACY—INDIA

Firm Publishes 1.2M Investors’ Data Online (November 22, 2011)

Despite Finance Minister Pranab Mukherjee's rejection last year of a proposal from National Intelligence Grid to access details of all bank accounts, the investment firm Power Finance Corp has published the details of 1.2 million of its customers online. Moneylife reports that the data includes names, addresses, phone numbers and e-mail IDs. The exposure has reinforced advocates' data protection concerns with the country's unique ID program. "Privacy law is still being made, and until it is in place, the UIDAI (Unique ID Authority of India) should not be doing what it is, and it certainly cannot be allowed to share information as it proposes to do under the 'information consent' clause in its form," said one privacy advocate.
Full Story

PRIVACY LAW—U.S.

FTC Extends COPPA Comment Deadline (November 22, 2011)

In a press release, the Federal Trade Commission (FTC) announced that is has extended the deadline for public comment on proposed changes to the Children's Online Privacy Protection Rule to December 23. Originally scheduled to end November 28, the FTC said it has lengthened the review period because organizations say the "nature and complexity of the questions and issues raised by the proposed amendments" require more time for review. The FTC's vote for the extension was unanimous. Meanwhile, the FTC has released the agenda for its workshop on facial recognition technology. "Face Facts: A Forum on Facial Recognition Technology" is free to the public and will be held at the FTC Conference Center on December 8. Editor's Note: The IAPP Practical Privacy Series will be held in Washington, DC, December 6-7.
Full Story

PRIVACY LAW—U.S.

Committee Mulls DNA Testing (November 22, 2011)

A Texas House committee will scrutinize the use of DNA testing within the state as it considers certifying additional DNA testing centers, the Associated Press reports. Chaired by Rep. Pete Gallego (D-Alpine), the House Criminal Jurisprudence Committee will today hear from experts on the topic ahead of making its recommendations. Meanwhile, Minnesota's Supreme Court ruled last week that the collection and retention of newborns' DNA violates privacy rights. Nine families sued the state in 2009 over the practice.
Full Story

DATA THEFT

Company Reports Attempted Hack (November 22, 2011)

PCWorld reports that AT&T has notified customers of an "organized and systematic" attempt to access their personal account information. In an e-mail, the company said that it did not "believe that the perpetrators of this attack obtained access" to the accounts when using auto script technology to "determine whether AT&T telephone numbers were linked to online AT&T accounts." The company said it will investigate the incident.
Full Story

DATA PROTECTION—U.S.

For CFOs, Data Protection Is “Economic Requirement” (November 22, 2011)

CFOworld reports on the role of chief financial officers (CFOs) in approving IT spending and handling the fallout of data breaches, quoting one expert's recommendation that CFOs ensure "business managers treat security as an economic requirement." The report highlights recent high-profile breach incidents that have resulted in "cleanup costs" totaling hundreds of millions of dollars. Another expert advises that how much data is stored is a key consideration, as breaches of PII and proprietary information alike "could impact revenues, good will, reputation and client trust. That all comes down to cost, whether it's lost revenues or whether it's remediation." He recommends CFOs and CIOs work together to protect data.
Full Story

DATA PROTECTION—EU & U.S.

CNIL Head: Regions Disagree on Privacy vs. Security (November 21, 2011)
Head of the French Data Protection Authority (CNIL) Isabelle Falque-Pierrotin told the Associated Press in an interview that European and American views on the balance between data protection and security are "not totally aligned." Falque-Pierrotin said that while European authorities understand U.S. concerns over terrorist threats after 9/11, Europe "is trying to negotiate to make sure that data and Internet privacy is respected."

PRIVACY LAW—NEW ZEALAND

Privacy Commissioner Publishes Annual Report (November 21, 2011)

New Zealand Privacy Commissioner Marie Shroff has released her annual report for 2011. The report details the office's activities throughout the year, which range from enquiry handling and complaint investigations to privacy education, policy work and collaborative efforts with global peers. The office fielded 7,000 enquiries, including 968 complaints, 80 percent of which were closed within six months of receipt, according to the commissioner's media release. Twenty-eight percent of complaints were closed by settlement or mediation. "We try to move parties towards settlement, helping them to avoid the expense and stress of tribunal proceedings," the report states.
Full Story

SURVEILLANCE—U.S.

License Plate Readers Bring Privacy Concerns (November 21, 2011)

Police use cameras that read license plates for help in catching car thieves and people fleeing crimes, but more recently, they have been storing the data--for three years in Washington, DC--and in some cases using it as a crime-prevention tool, reports The Washington Post. "That's quite a large database of innocent people's comings and goings," says an American Civil Liberties Union representative. However, police argue that it's a valuable tool, leading to an average of one arrest each day in DC. Privacy law expert Orin Kerr says, "It's big brother, and the question is, is it big brother we want, or big brother that we don't want? I think we need a conversation about whether and how this technology is used." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRALIA

Commissioner: Privacy Torts Too Limited (November 21, 2011)

Privacy Commissioner Timothy Pilgrim says he favors government-backed conciliation over litigation in cases of breached privacy, The Australian reports. In a submission to the government, Pilgrim outlines a framework where privacy complaints would first go to the Office of the Australian Information Commissioner (OAIC) and not the courts. If conciliation with the OAIC proved insurmountable or if a legal referral was needed, the case would then go to the courts for a solution. Earlier this year, Privacy Minister Brendan O'Connor submitted a proposal calling for the federal government to create a "statutory cause of action." Pilgrim's submission says, "If the cause of action is actionable directly to the courts, sections of the public who are not in a position to access the civil justice system may be unable to enforce their rights." (Registration may be required to access this story.) 
Full Story

GENETIC PRIVACY—EU

Experts: DNA Requires Privacy Protection (November 21, 2011)

Experts are advising the EU to ensure privacy is protected and that technological advances do not make it possible for employers and insurers to abuse genetic data, the Irish Times reports. Speaking at a conference in Ireland, scientific and legal experts "outlined how genetic testing techniques may be able to detect the onset of future disabilities and how this technology is used increasingly in both employment and insurance contexts." With no EU-level regulation to "ensure the privacy...or to prevent the discriminatory use of such information," one expert recommends "a transatlantic dialogue between the EU and the U.S." as U.S. legislation "has struck a balance between the rights of employers and insurers and the rights of individuals."
Full Story

EMPLOYEE PRIVACY—CANADA

Review: Board Must Protect Privacy (November 21, 2011)

The Chronicle Herald reports on the completion of a review of the Workers' Compensation Board of Nova Scotia launched in January by Dulcie McCallum, the province's freedom of information and privacy review officer. "Internal memos show that the board has broken the province's privacy law with 155 breaches of clients' personal information over a 32-month period," the report states, noting the review includes 21 recommendations for improved data protection and advises the board "to put privacy on a higher plane and recognize that it is the guardian of sensitive personal and personal health information." The board's CEO has said it plans to adopt all of the report's recommendations.
Full Story

ONLINE PRIVACY—U.S.

Opinion: More Online Consumer Protection Needed (November 21, 2011)

A New York Times editorial asserts that with the amount of personal information gleaned from the Internet, and "Despite bipartisan concern about potential abuses, Congress has not acted to protect consumer privacy..."  With "little chance legislation will pass anytime soon," the Federal Trade Commission (FTC) is taking action to "set minimum standards of behavior--pursuing companies for deceiving consumers about how they will use names, e-mails and browsing habits." The editorial adds that "Congress should act on the FTC's recommendation to establish a system that would allow consumers to effectively opt out of all tracking of their online activities...But with Congress stuck in a partisan rut, it is reassuring to see the FTC at work." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Judge: Warrantless Cellphone Tracking Unconstitutional (November 18, 2011)

The Wall Street Journal reports that U.S. District Court Judge Lynn N. Hughes has declared it unconstitutional for the government to obtain cellphone records without a warrant. Hughes wrote, "The records would show the date, time, called number and location of the telephone when the call was made...These data are constitutionally protected from this intrusion." The ruling comes a week after the Supreme Court heard oral arguments about a case involving the surveillance of an individual by using a GPS tracking device without a warrant. The article reviews a number of recent court rulings involving warrantless searches. (Registration may be required to access this story.)
Full Story

DATA LOSS

APEC Committee Notifies Members of Breach (November 18, 2011)

The Honolulu Star Advertiser reports that the personal details of certain APEC committee members may have been exposed in a data breach. Member of the APEC 2011 Hawaii Host Committee and East-West Center President Charles Morrison this week notified about 40 other host committee members that "an outside source" may have gained access to the details, which included data that members provided in order to gain security clearances before meeting with U.S. President Barack Obama on Saturday. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

In Two Years, 18 Million Affected in Healthcare Breaches (November 18, 2011)

The Associated Press reports on the scope of data breaches in the healthcare sector during the past two years. In addition to the California-based Sutter Medical Foundation breach that affected more than four million patients after a computer was stolen, there have been 364 reported incidents of data loss on nearly 18 million patients--"equivalent to the population of Florida." Of the Sutter Medical Foundation breach, Privacy Rights Clearinghouse Director Beth Givens said, "Had this data been encrypted, you and I wouldn't be having this discussion. It would be a nonissue." Meanwhile, Lawrence Memorial Hospital in Kansas may undergo a federal investigation for a breach that may have compromised the information of approximately 8,000 patients.
Full Story

HEALTHCARE PRIVACY—U.S.

Rodriguez Expects HIPAA Audits Will Become Permanent (November 18, 2011)

At the annual meeting of the Office of the National Coordinator for Health IT yesterday, Leon Rodriguez, the director of the HHS Office for Civil Rights (OCR), said he "fully expects" the government will institute a permanent HIPAA compliance audit program after the current pilot program wraps up in 2012, GovInfoSecurity reports. The agency will conduct 150 audits over the next 11 months. Rodriguez said the audits are intended to help entities improve compliance with HIPAA. During his presentation, he also addressed the call by Sen. Al Franken (D-MN) for the OCR to "hurry up" and release its final rules for HIPAA modifications. "We indeed are hurrying up," Rodriguez said.
Full Story

PRIVACY—U.S.

FTC’s Groman To Head NAI (November 18, 2011)

The Network Advertising Initiative (NAI) has announced that it has appointed Federal Trade Commission (FTC) Chief Privacy Officer Marc Groman, CIPP, as its new executive director and general counsel. In this Daily Dashboard exclusive, NAI Board of Directors Chairman and Microsoft Director of Privacy Robert Gratchner, CIPP, discusses why the self-regulatory organization chose Groman and how his appointment will help take the NAI to a new level. Groman will be joining the NAI in December. 
Full Story

HEALTHCARE PRIVACY—U.S.

Study: Patients Warm to Records Sharing, But Concerns Persist (November 18, 2011)

A PricewaterhouseCoopers study shows that while many patients like the idea of improving care through records sharing, privacy concerns linger. The online survey of 1,000 consumers found that 60 percent of respondents were comfortable with records sharing between healthcare providers if it would improve the coordination of their care, and 54 percent approve the sharing for supporting real-time decisions in their care. InformationWeek reports that while patients seem to be warming to the idea of health data sharing, 30 percent said "if cost, quality and access were equal among choices, they'd be swayed to select one hospital over another if one had clearer privacy and security policies."
Full Story

FTC Chief Privacy Officer To Become New Executive Director of NAI (November 18, 2011)
Yesterday, the Network Advertising Initiative (NAI) board of directors announced that it has appointed Federal Trade Commission (FTC) Chief Privacy Officer Marc Groman, CIPP, as its new executive director and general counsel.

PRIVACY LAW—EU & U.S.

Reding Talks Self-Regulation, Harmonization (November 17, 2011)
In a Q&A with The Washington Post, European Commission Vice President Viviane Reding said that self-regulation is "little more than a fig leaf" and only works "if there is strong, legally binding regulation in the first place." Reding also stressed the need for harmonization in the European marketplace.

GENETIC PRIVACY—U.S.

MN Supreme Court Rules on Newborn DNA Retention (November 17, 2011)

The Minnesota Supreme Court ruled yesterday on a genetic privacy lawsuit that could have national implications. The court decided that a lower court must reconsider a challenge to the state's newborn screening program, which requires the collection and retention of newborns' DNA, TwinCities.com reports. Nine families sued the state in 2009, opposing the retention policies for newborns' blood samples. In 2010, the Minnesota Court of Appeals ruled that the state's practices did not violate privacy rights due to an exception allowed for in the state's Genetic Privacy Act, but the Supreme Court rejected that argument yesterday. 
Full Story

TRAVELERS’ PRIVACY—CANADA

OPC Audit Raises Airport Data Collection Concerns (November 17, 2011)

"The Government of Canada is collecting too much information about some air travelers and is not always safeguarding it properly." Those are the findings of Privacy Commissioner Jennifer Stoddart in an audit published today as part of the Office of the Privacy Commissioner's (OPC) annual report. The OPC has announced that the audit, which reviewed Canadian Air Transport Security Authority privacy policies and practices, has determined it reached "beyond its mandate" by collecting information on passengers in ways that were "not related to aviation security." The audit also found "types of personal information collected by the agency were not always properly secured" and that prohibited items--including closed-circuit television cameras--were located in full-body scan screening rooms.  
Full Story

DATA LOSS—U.S.

Computer Theft Affects Millions of Patients (November 17, 2011)

The personal information of more than four million patients of the Sutter Medical Foundation was compromised when a password-protected but unencrypted computer was stolen from the foundation's offices in October, The Sacramento Bee reports. Data on approximately 3.3 million of the patients included names, mailing and e-mail addresses, birth dates, telephone numbers and health plans. Sutter Health officials have contacted state and federal authorities, are conducting an investigation and have begun encrypting their computers. Meanwhile, Union Bank & Trust, which oversees Illinois' Bright Directions tuition program, mistakenly sent out 36,000 letters with the recipients' Social Security numbers printed on the envelopes, UPI reports. The bank is offering free identity theft services and credit monitoring.   
Full Story

ONLINE PRIVACY—U.S.

Lawmakers Want Answers on Tracking (November 17, 2011)

Sen. Jay Rockefeller (D-WV) says he will invite Facebook and others to a hearing to explain how they use data collected through online tracking in response to a USA TODAY article detailing the company's tracking practices. "The USA TODAY story is disturbing. No company should track customers without their knowledge or consent, especially a company with 800 million users and a trove of unique personal data on its users," said Rockefeller. Meanwhile, Rep. Mary Bono Mack (R-CA) has directed her staff to schedule a briefing with the company's officials next week to explain how a spam attack caused graphic images to be posted on some users' profile pages.   
Full Story

PRIVACY LAW—U.S.

Opinion: Reasonable Expectation of Privacy Central to SCOTUS Case (November 17, 2011)

In a column for The New York Times, Linda Greenhouse explores the privacy concerns that surround a GPS surveillance case being heard by the Supreme Court. United States v. Jones "has generated an enormous amount of attention," and when the case was argued last week, the justices, "across the ideological spectrum...expressed alarm at the federal government's core argument, which is that because the GPS tracks the location of vehicles only as they travel the public roadways...nothing of constitutional consequence occurred." Justice Samuel A. Alito, Jr., said "that in the pre-computer, pre-Internet age, much of the privacy...that people enjoyed was not the result of legal protections or constitutional protections. It was the result simply of the difficulty of traveling around and gathering up information." Greenhouse asserts that Alito "put his finger on the precise issue" when he brought up the question of what, in this case, is "the reasonable expectation of privacy." (Registration may be required to access this story.)  
Full Story

ONLINE PRIVACY

Company Offers WiFi Opt-Out (November 16, 2011)
Google has agreed to provide a WiFi opt-out method for users who prefer to keep the names and locations of their wireless routers out of the company's database. The move comes after the company faced increased pressure from data protection authorities in the Netherlands, The New York Times reports.

ONLINE PRIVACY—U.S. & CHINA

Officials Discuss Privacy Concerns (November 16, 2011)

The Wall Street Journal reports that U.S. officials are urging China to address companies' online privacy and security concerns as multinational companies hope to include China in cloud computing services. As one U.S. official put it, the "U.S. and China will have to agree on a set of principles that will encourage American companies to use China-based servers." The remarks followed a visit by a U.S. delegation to discuss Internet freedom and other issues with Chinese regulators. The report points out that information stored in Chinese data centers could be vulnerable to government seizure, which prompts many companies to host such services outside the country. (Registration may be required to access this story.)  
Full Story

BIOMETRICS—UK & INDIA

Frontline: It Failed in the UK; Will It Work in India? (November 16, 2011)

India's Unique Identification project (UID) will assign every citizen a unique 12-digit identifying number linked to their biometric and demographic information. The project has generated concerns around the scheme's privacy safeguards. The UK planned to implement a biometric identification program in 2004, but concerns were raised about "a potential danger to the public interest and to the legal rights of individuals," among others, and the plan was halted in 2010. In this Frontline report, Edgar Whitley, research coordinator of the London School of Economics Identity Project, discusses why certain biometric identification plans failed.  
Full Story

ONLINE PRIVACY

Should Consumers Worry? Experts Share Views (November 16, 2011)

The Wall Street Journal assembled a diverse panel of experts to discuss the degree to which individuals should worry about their online privacy, including topics such as social network privacy controls, online behavioral advertising and government surveillance. Panelists included Steptoe & Johnson Partner Stewart Baker, Microsoft Senior Researcher danah boyd, CUNY Graduate School of Journalism Prof. Jeff Jarvis and Open Society Institute Fellow Christopher Soghoian. "If we overregulate privacy managing only to the worst case," said Jarvis, "we could lose sight of the benefits of publicness, the value of sharing." Personal data collected by firms "is like toxic waste," said Soghoian, "eventually, there will be an accident that will be impossible to clean up, leaving those whose data has spewed all over the Internet to bear the full costs of the breach." (Registration may be required to access this story.) Editor's Note: Jeff Jarvis will deliver a keynote address at the IAPP Global Privacy Summit 2012.
Full Story

SOCIAL NETWORKING—U.S.

Spammers Attack Facebook (November 16, 2011)

The Washington Post reports on a Facebook spam attack causing graphic images to be posted on some users' profile pages. The company said it is working to shut down the accounts of those responsible, the report states, and that the attack did not appear to compromise user data. Meanwhile, USA TODAY reports on the social network's acknowledgement that it uses tracking cookies to keep logs of the Web pages its users have traveled to in the past 90 days and where non-users have visited after they've gone to Facebook's website. Reps. Ed Markey (D-MA) and Joe Barton (R-TX) have written to Facebook CEO Mark Zuckerberg asking him to explain the company's tracking practices by December 1. (Registration may be required to access this story.) 
Full Story

ONLINE PRIVACY

As Influence Grows, So Do Privacy Challenges (November 16, 2011)

A company that ranks users' online influence using their social media activity is facing criticism for creating "shadow profiles" of non-users without permission, reports the Financial Post. Klout searches publicly available information on the Internet to build its rankings--and in some cases inadvertently created profiles for minors. While some are criticizing the company, others say it is using the same practice as many other online companies: scour the Web for data and aggregate it. "They may not be creating a profile for me or assigning me a Klout rank, but it fundamentally amounts to the same thing," says GigaOm's Mathew Ingram. Klout's CEO says the company no longer automatically creates profiles and has made it easy for people to opt out of the service.  
Full Story

ONLINE PRIVACY—U.S.

White House To Release Consumer Bill of Rights (November 15, 2011)
Internet firms should create self-imposed rules to be enforced by the Federal Trade Commission. That's according to U.S. Deputy Chief Technology Officer Daniel Weitzner, who said in a speech at the U.S. Chamber of Commerce that "any new online privacy law should be 'flexible' and 'pro-innovation,'" reports The Washington Post. Rules that are too restrictive will hamper the growing room necessary for Internet commerce's success, he said, urging the U.S. to model Europe's hybrid approach of self-regulation and enforcement.

ONLINE PRIVACY—U.S.

W3C Releases Do-Not-Track Draft (November 15, 2011)

The World Wide Web Consortium (W3C) has released the first draft of its proposed standards for do not track, InformationWeek reports. The mechanism will give online users the power to opt out of having their online movements and personal information tracked by marketers. In an effort to balance the advertising industry's data collection needs, do not track likely would not be a default setting, the report states. If it were, "then you'd offer too much privacy to the people who don't care," said a W3C spokesman. The group plans to release its final standard by the summer of 2012. 
Full Story

PRIVACY LAW

APEC Endorses Cross-Border Rules (November 15, 2011)

At a meeting in Hawaii this week, the Asia-Pacific Economic Cooperation (APEC) leaders endorsed the APEC Cross-Border Privacy Rules (CPBRs), reports Hunton & Williams' Privacy and Information Security Law Blog. Implementing the rules enables data flow across borders "while enhancing data privacy practices; facilitating regulatory cooperating, and enabling greater accountability through the use of common principles, coordinated legal approaches and accountability agents," said an APEC statement. Welcoming the approval of the rules, FTC Commissioner Edith Ramirez said they have the potential to "significantly benefit companies, consumers and privacy regulators." The APEC Data Privacy Subgroup will next begin developing the structure for CBPR implementation, the report states. 
Full Story

TRAVELERS’ PRIVACY—EU

Body Scanner Guidelines Aim To Protect Privacy (November 15, 2011)

The European Union (EU) has adopted new guidelines for the use of airport body scanners and, according to the EU commissioner of transport, the rules will help protect privacy and supply travelers with basic rights, The Washington Post reports. The new guidelines mandate that scanners not store or copy passenger images, security agents analyzing images be in a room separate from the actual screening and passengers be notified and granted an alternative screening method. A spokeswoman from the transport commission said, "The most important provision is that every passenger has the right to opt out and ask for the use of an alternative method." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Senate Commerce To Consider FTC Nominees (November 15, 2011)

At a hearing this afternoon, the Senate Commerce Committee will consider the reappointment of Federal Trade Commission (FTC) Chairman Jon Leibowitz and the nomination of Maureen Ohlhausen to fill an open commissioner's seat. Multichannel News reports that Ohlhausen would replace Republican Bill Kovacik. At the hearing, Leibowitz is expected to assert that consumer privacy would continue to be a "major focus" under his leadership. Ohlhausen worked on privacy issues at the law firm Wilkinson Barker Knauer and previously spent 12 years at the FTC, including a stint as director of the Office of Policy Planning, according to The Hill.
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Social Networking Suit (November 15, 2011)

U.S. District Court Judge Lucy Koh has dismissed a lawsuit against LinkedIn alleging that the company violated a user's privacy by exposing his browsing history along with his LinkedIn unique ID, reports MediaPost News. Koh gave the plaintiff 21 days to amend and refile his case, ruling the plaintiff "has not alleged how third-party advertisers would be able to infer...personal identity from LinkedIn's anonymous user ID combined with his browsing history" nor "that his browsing history...was actually linked to his identity by LinkedIn and actually transmitted to any third parties." Koh also rejected claims of financial harm, stating the plaintiff didn't show how he was prevented from "capitalizing on the value of his personal data."
Full Story

PRIVACY LAW—CANADA & U.S.

Stoddart: Border Agreement Shouldn’t Sacrifice Privacy (November 15, 2011)

The perimeter agreement negotiations currently underway between Canada and the U.S. "can easily be compared to two individuals drastically redefining their relationship," writes Canadian Privacy Commissioner Jennifer Stoddart in The Huffington Post Canada. Noting that both countries "strongly value their privacy and realize its importance to the vitality of our democracies," Stoddart points out that "some key legislative differences on privacy protection exist between our countries," meaning that Canadians should "think about what we share and where we differ." Stoddart highlights three main differences between U.S. and Canadian approaches to privacy, including the protection of citizens' privacy from the federal government; national privacy legislation and an independent authority to oversee privacy issues.
Full Story

ONLINE PRIVACY

Official: Does “Right To Be Forgotten” Give False Expectations? (November 15, 2011)

In a speech he delivered this month, UK Culture Minister Ed Vaizey questioned whether the call for a right to be forgotten online is giving consumers "false expectations." Research Magazine reports that while Vaizey expressed agreement, in principle, with EU Commissioner Viviane Reding's call for consumers to be have a right to remove information posted about them online, he has questions about the "practicalities of any regulation"--especially with regard to how it would apply to companies based outside the EU. A ZDNet report highlights key online companies with a presence in the EU, noting the law would force "the parent corporation to abide by European law, as well as (where) the law their headquarters is based."
Full Story

PRIVACY LAW—U.S.

Company Calls Age Disclosure Suit “Frivolous” (November 15, 2011)

The Associated Press reports on a lawsuit by an actress upset at the revelation of her age on Amazon's Internet Movie Database (IMDb) that alleges the company used credit card information to gather her birthdate after she signed up for a subscription service. She contends that after it appeared on her IMDb profile, job offers "dropped sharply." In motions to dismiss the case, attorneys write that the plaintiff's "attempt to manipulate the federal court system so she can censor IMDb.com's display of her birthdate and pretend to the world that she is not 40 years old is selfish, contrary to the public interest and a frivolous abuse of this court's resources."
Full Story

PRIVACY—CANADA

Cavoukian Awarded as an “Influential Woman” (November 15, 2011)

Ontario Information and Privacy Commissioner Ann Cavoukian has been named one of Canada's 25 most influential women by Women of Influence, Digital Journal reports. The award cites Cavoukian's work in protecting privacy and recognizes her as one of the leading privacy experts in the world. "I am deeply honored at being included in this distinguished group of women and hope to shine greater attention to the pursuit of preserving our freedoms, which are built up on a bedrock of privacy," the commissioner said. 
Full Story

BIOMETRICS

Creepy or Cool? Facial Recognition Is on the Rise (November 14, 2011)
From digital billboards that target advertising based on the demographics of passersby to an app that scans bars determining the average age and gender of the crowd to Facebook's "Tag Suggestions" feature, facial recognition is looking like the wave of the future, The New York Times reports. While some see the trend as an opportunity to offer and receive relevant information, others are concerned about potentially more intrusive uses of the technology.

SURVEILLANCE—U.S.

Pundits Weigh In on GPS Surveillance Case (November 14, 2011)

United States v. Jones, the Supreme Court case involving law enforcement's use of GPS to track a suspected criminal's location using an expired warrant, has experts weighing in on the trade-offs technology presents. "As we get used to new technology," opines L. Gordon Crovitz for The Wall Street Journal, "expectations of privacy decrease and more searches seem reasonable." Jonathan Turley agrees in The Washington Post, writing that "We have grown accustomed to living under observation, even reassured by it. So much so that few are likely to notice, let alone mourn, privacy's passing." Whatever decision the court makes or laws Congress enacts, "both officers and citizens deserve to know what's fair game and what's not before it's too late," writes Derrick Harris for GigaOM. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—UK

Oxford Taxis To Record Audio, ICO Responds (November 14, 2011)

The Oxford City Council is backing a decision to require CCTV cameras in the city's taxis to record all conversations while the information commissioner and privacy advocates are calling it a violation of privacy. The council says audio recording is critical for public safety and that the recordings would not be used unless needed in a specific crime or licensing issue, The Oxford Times reports. But Information Commissioner Christopher Graham says, "CCTV must not be used to record conversations between members of the public as this is highly intrusive." His office recommends solutions such as a system where audio recording is triggered by excessive noise or a panic button.
Full Story

PERSONAL PRIVACY—U.S.

States Unsure on Smart Meter Implementation (November 14, 2011)

Smart meters are increasingly being installed at households across the nation--but privacy concerns have followed, reports the Associated Press. Regulators in Nevada--where more than 500,000 meters have been installed--have received complaints, as have regulators in Vermont and California. Connecticut's energy commissioner has called for plans to delay so that new smart meter policies can be drafted ahead of deployment. Forty-seven cities and counties have adopted resolutions opposing smart meter installation, The Washington Post reports, and the state of Maryland has blocked installation. One California utility has been ordered by the California Public Utilities Commission to allow customers to opt out. Editor's note: Visit the IAPP Knowledge Center to learn more about designing privacy into the smart grid.
Full Story

DATA LOSS—U.S.

Breaches of Healthcare, Student Data Reported (November 14, 2011)

Breaches of healthcare and student data have been reported in three states. The Richmond Times-Dispatch reports that Virginia Commonwealth University is warning hundreds of thousands of individuals that their personal information may have been exposed when an unauthorized person gained access to a server. University officials believe the likelihood of data compromise "is very low." Meanwhile, in responding to a breach incident at the University of Texas-Pan American, officials said none of the student information that was exposed online for two months "is of the type that is likely to be useful for identity theft or other fraudulent purposes." And, Easley Patch reports that clinical assessments and other confidential mental health patient information were discovered on the hard drive of a computer purchased by a man in Pickens County, South Carolina.
Full Story

PRIVACY LAW—U.S.

FTC-Facebook Settlement Near (November 11, 2011)
The Wall Street Journal reports that the Federal Trade Commission and Facebook are finalizing a proposed settlement related to changes the company made to its privacy settings in 2009. Under the settlement--which has not yet been approved by the FTC's commissioners--the company would be required to obtain "express affirmative consent" when making "material retroactive changes," the report states. The settlement would also require the company to undergo privacy audits for two decades. (Registration may be required to access this story.)

BIOMETRICS—GERMANY

Hamburg DPA Preparing Legal Remedy (November 11, 2011)

Hamburg's Commissioner for Data Protection and Freedom of Information says Facebook has failed to bring its facial recognition function into line with European and German data protection laws and he will "make use of the legal avenues available" to remedy the matter. Johannes Caspar in October demanded the company begin seeking users' consent before enabling the function, but the method the company introduced to meet this demand "is insufficient to provide a substantive legitimation to the collection of users' biometric face profiles," according to a commission press release. "After the months of negotiations we have conducted with Facebook, this result is a disappointing one," said Caspar.
Full Story

PRIVACY LAW—U.S.

Judge: Twitter Must Release User Data (November 11, 2011)

A federal judge yesterday ruled that Twitter must disclose to the Department of Justice (DoJ) information on three users believed to be associated with WikiLeaks, The New York Times reports. The DoJ demanded the company release their Internet protocol (IP) addresses, but the account holders--an American, a Dutch citizen and an Icelandic parliamentarian--argued that doing so would violate their privacy. But Judge Liam O'Grady of the United States District Court said the petitioners "knew or should have known that their IP information was subject to examination by Twitter, so they had a lessened expectation of privacy in that information, particularly in light of their apparent consent to the Twitter terms of service and privacy policy." (Registration may be required to access this story.)   
Full Story

PRIVACY LAW—UK

Employee Guilty of Selling Gambler Data (November 11, 2011)

A former gambling industry worker has pleaded guilty to obtaining and selling more than 65,000 gamblers' personal information, according to a press release from the Information Commissioner's Office (ICO). Hendon Magistrates Court has ordered Marc Ben-Ezra to pay £1,700 to a company whose customer data he stole and £830.80 in other costs. Ben-Ezra was also given a three-year conditional discharge. Ben-Ezra e-mailed a number of UK gaming industry contacts asking if they wanted to purchase customer data--including names, addresses, e-mail addresses, telephone numbers and usernames. "This case shows that the unlawful trade in personal information is unfortunately still a thriving and lucrative activity," said Information Commissioner Christopher Graham, adding that stiffer penalties for such crimes are needed.        
Full Story

ONLINE PRIVACY—EU

“Right to be Forgotten” A Problem for Publishers? (November 11, 2011)

Among the proposals being considered in the European Union's (EU) updated data protection framework is what EU Justice Commissioner Viviane Reding said is the right for consumers "to delete their data at any time, especially the data they post on the Internet themselves." The "right to be forgotten" could pose problems for publishers that store media stories containing personal data about individuals. Reding said that publishers had the right to archive these stories if they were in the "public interest," Out-Law.com reports. A media law expert said, "Distinguishing between what is in the public interest and what is simply of interest to the public is not always easy and the inherent conflict between the right of free speech and the right to privacy will remain a difficult one to reconcile under this proposed regime."        
Full Story

DATA LOSS

Gaming Service Breached (November 11, 2011)

V3.co.uk reports that hackers have infiltrated the systems of Valve--a games developer--and accessed customer data from the company's Steam networking service. In addition to "defacement" of Steam's online forums, a database containing user names, e-mail addresses, purchase histories and billing addresses was accessed. Valve also said that credit card numbers and passwords were obtained but were encrypted. A statement from Valve said, "We do not have evidence that encrypted credit card numbers or personally identifying information was taken by the intruders, or that the protection on credit card numbers or passwords was cracked." The online forums will remain disabled while an investigation ensues.  
Full Story

PERSONAL PRIVACY—EU & U.S.

EC Announces New PNR Deal (November 11, 2011)

The European Commission has announced a newly revised deal with the U.S. that will allow American authorities to retain airline passengers' personal data for 15 years as part of counterterrorism efforts, AFP reports. The EC and U.S. government have been negotiating the deal for several months. Previous versions have been criticised by members of the European Parliament due to privacy concerns. "To our eyes, the new text represents a very big improvement from the existing agreement," said Michele Cerone of the EU Home Affairs office. "The new agreement will guarantee that PNR (Passenger Name Record) data will be used for restricted and well-defined purposes." 
Full Story

PRIVACY

Science Fiction Comes to Life with IoT (November 10, 2011)

Computerworld reports on the emergence of the Internet of Things (IoT)--"where anything with intelligence (including machines, roads and buildings) will have an online presence"--and ways in which classic science-fiction scenarios are coming true. A representative from Cisco predicts that there will be 50 billion connected devices by the year 2020. Social networks would act as the connective tissue between them. "In the coming years, anything that has an on-off switch will be on the network...I foresee it in just about every industry and stream of life," he says. The IoT brings with it concerns about security and privacy protection. A representative from the Massachusetts Institute of Technology said, "Basic e-mail is still getting hacked, and we've had that for 25 years."   
Full Story

HEALTHCARE PRIVACY—U.S.

Committee Explores HITECH Finalization, Enforcement (November 10, 2011)
The Senate Judiciary Subcommittee on Privacy, Technology and the Law held its second-ever hearing yesterday to explore several healthcare privacy issues. "Your Health and Your Privacy: Protecting Health Information in a Digital World" called upon witnesses from two government agencies, a healthcare facility and a privacy advocacy group to uncover the current state of healthcare privacy with regard to electronic health records, finalizing HITECH rules, enforcement trends and what is needed to further protect privacy among patients. This Daily Dashboard exclusive looks into questions asked by Sen. Al Franken (D-MN) about why the business associates rule--expanded under HITECH--has not been finalized and the possible effects on patient trust and government enforcement.

PRIVACY LAW—KENYA

Group Calls for Stronger Provisions in Draft Bill (November 10, 2011)

The Draft Kenya Data Protection Bill 2009 is "critically limited" and should be revised to come into line with international standards on freedom of expression and information. That's according to human rights organization Article 19, which says it supports the adoption of data protection laws--increasingly being implemented in African countries--but that Kenya's draft bill only covers data held by public authorities and is "significantly weaker" than most data protection laws, which apply to private companies, nonprofits and other entities. Article 19 recommends the bill be extended to private entities, ensure funding for the governing commission and provide individuals full access to their records, among other changes.  
Full Story

PRIVACY LAW—U.S.

State Enacts Exemption to Credit Card Act (November 10, 2011)

The California Legislature has created a limited exemption to the Song-Beverly Credit Card Act of 1971, Privacy & Security Source reports. In the aftermath of concerns raised in a California Supreme Court case that determined zip codes constituted personal information, the legislation, which was introduced on behalf of the Western States Petroleum Association, allows zip codes to be collected "only in transactions conducted at a 'retail motor fuel dispenser' or a 'retail motor fuel payment island automated cashier' and solely for purposes of preventing fraud, theft or identity theft," the report states.  
Full Story

PRIVACY LAW—U.S. & EU

Experts, Organizations Respond to Comments (November 10, 2011)

The New York Times reports on reaction to comments made earlier this week by European Justice Commissioner Viviane Reding and German Minister of Food, Agriculture and Consumer Protection Ilse Aigner about strengthening the European Union's (EU) data protection framework. One privacy lawyer was skeptical that the strengthened laws would place more of a burden on U.S.-based companies, saying, "The challenge is one of jurisdiction in the Internet age." Meanwhile, earlier this year, the American Chamber of Commerce to the EU submitted a brief to lawmakers saying stricter laws "would inevitably lead to a general obligation to monitor the Internet, undermining the strong foundations on which the Internet was developed in the first place and the basis on which democratic societies operate." (Registration may be required to access this story.)  
Full Story

DATA LOSS

Experts: CPO, Plans Needed To Avoid High-Cost Breaches (November 10, 2011)

"Having a good plan in place can seriously reduce the costs resulting from the breach as, in these kinds of situations, the longer things run without being dealt with in the proper fashion, the more costly it can get." That's the message from one of the cyber-risk experts sharing insights on guarding against high-cost data breaches in a Financial Times feature. Given the ever-increasing amount of personal data that companies hold about their customers, the report highlights safeguards that apply across jurisdictions and borders, including having a breach response plan and a dedicated chief privacy officer in place. (Registration may be required to access this story.) Editor's Note: The most recent edition of Inside 1 to 1: PRIVACY includes a report on avoiding become the subject of a U.S. FTC action or a target for lawsuits.  
Full Story

DATA PROTECTION

Carrots, Sticks and Big Data (November 10, 2011)

In The Mercury News, Larry Magid summarizes last week's 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. Magid observes that "there are tensions not only between regulators and those they regulate but among regulators themselves, who don't always agree on just whether they should be wielding sticks or dangling carrots." And he discusses the conversations about "big data," quoting Future of Privacy Forum Director Jules Polonetsky, CIPP, as saying there are concerns about how big databases will be used but that they also offer benefits. "We can learn a huge amount, and the question is, can we manage to not throw out the baby with the bath water."    Full Story

ONLINE PRIVACY—U.S.

Self-Regulation Council Gives First Report (November 10, 2011)

The Online Interest-Based Advertising Accountability Program, established in August to oversee the advertising industry's self-regulation efforts, has released the results of its first six compliance cases, reports The Washington Post. Genie Barton, vice president of the Council of Better Business Bureau, said she was happy with how quickly and positively the companies changed their policies to come into compliance, adding that "independent enforcement demonstrates that self-regulation can work and that it is being taken very seriously by this program." If a company fails to comply with the regulations, the council would report it to the Federal Trade Commission and announce the finding in a news release and posting, Barton said. (Registration may be required to access this story.)  
Full Story

Senate Committee Explores HITECH Finalization, Enforcement (November 10, 2011)

 

By Jedidiah Bracy, CIPP

At a Senate Judiciary Subcommittee hearing on electronic health records and healthcare privacy, Sen. Al Franken (D-MN) said it is “not satisfactory” that crucial protections provided for under the Health Information Technology for Economic and Clinical Health Act (HITECH) have not yet been implemented.

Of major concern for Franken is the lack of finalization of the business associates rule by the U.S. Department of Health and Human Services (HHS).

When asked, the HHS’ Office for Civil Rights (OCR) Director Leon Rodriguez said he agreed the rule—which was included in HITECH—would “plug holes” in the Health Insurance Portability and Accountability Act (HIPAA). Noting that they had received “extensive comments” on the rule, Rodriguez said the OCR staff is “working diligently” but have no time frame for finalization.

“Hurry up,” said Franken.

“Implementation has been agonizingly slow,” said Deven McGraw, director of the health privacy project at the Center for Democracy & Technology. She stressed the need for regulations—“almost three years later and we still don’t have them.”

McGraw noted that patients need to trust that the information they are sharing with their providers will be handled securely. “We’ve been hearing about promising results. At the same time the public expresses concern about the security and privacy of their information.”

As a result, she said, patients decide to not share pertinent information, lie or refuse to receive treatment. “The wild, wild west for data is not an environment of trust,” she said.

Joined by ranking member Sen. Tom Coburn (R-OK) as well as Sens. Sheldon Whitehouse (D-RI) and Richard Blumenthal (D-CT), Franken queried Rodriguez and U.S. Department of Justice Attorney Loretta Lynch about why there has been a “lack of enforcement” in cases involving healthcare privacy.

Lynch said enforcement numbers “are not reflective of what the Department of Justice is doing.” She agreed to work with Franken’s staff to provide additional enforcement information.

Rodriguez was optimistic. He said “the beginnings of change are happening” under HITECH, noting that the 2009 legislation has changed the environment because of the breach notification rule, increased penalties for violations and the introduction of the OCR’s HIPAA compliance auditing program.

Saying that “laws are useful only to the extent they are rigorously enforced,” Blumenthal asked Hennepin County Medical Center Privacy Officer Kari Myrold if...

PRIVACY LAW—U.S.

FTC Settles Two Privacy Complaints (November 9, 2011)
The Federal Trade Commission has reached two settlements over online privacy complaints, The Washington Post reports. The commission said children's social networking site Skid-e-kids' violated the Children's Online Privacy Protection Act (COPPA) by making deceptive claims in its privacy policy about its data collection and by allowing children under the age of 13 to register for the site without parental consent, which is forbidden by COPPA.

PRIVACY LAW—U.S.

Supreme Court Hears GPS Tracking Case (November 9, 2011)

During arguments in United States v. Jones this week, Supreme Court Justice Stephen Breyer said if the government wins this case, "there is nothing to prevent the police or government from monitoring 24-hours-a-day the public movements of every citizen in the United States," drawing a connection to George Orwell's 1984. NPR reports on the case, which involves law enforcement's use of GPS to track a suspected criminal's location. Antoine Jones' appeal claims that police should have obtained a warrant before using GPS to track his vehicle when they suspected he was selling illegal drugs in 2005. The government's case asserts that Jones didn't have a reasonable expectation of privacy under the Fourth Amendment because he was tracked on public streets. But Jones' case argues that GPS devices are capable of producing detailed data that an agent tracking a person couldn't. 
Full Story

PRIVACY LAW—EU

Expert: Updated Directive Is Vital (November 9, 2011)

V3.co.uk reports the head of Field Fisher Waterhouse's privacy and information law group, Eduardo Ustaran, CIPP, comments that updating and strengthening the EU Data Protection Directive (95/46/EC) is vital to protect European citizens' data. The European Commission (EC) "wants to make sure that companies targeting individuals in the EC do not fall outside European law as the current directive is limited in scope," says Ustaran. "For example, German data regulators find it hard to compel organizations to adhere to its own laws if they're not based within the EU at large, so there is a strong desire to overhaul the current system." The updated directive is also reportedly going to address loopholes in the current directive that allow the U.S. Patriot Act to access European citizens' data contained in the cloud.  
Full Story

PRIVACY LAW—U.S.

Kerry and McCain Press for Final FTC, DoC Reports (November 9, 2011)

Sens. John Kerry (D-MA) and John McCain (R-AZ) have written to the Federal Trade Commission (FTC) and Department of Commerce (DoC), pressing for the release of both agencies' final reports on consumer privacy, The Hill reports. "Congress and the public could use the guidance of the expert agencies in the form of final reports to help make sense of current practices and how to best protect innovation without sacrificing people's privacy," the senators wrote. At the 33rd International Conference of Data Protection and Privacy Commissioners last week, officials from the FTC and DoC indicated separately that their final reports would be released soon. 
Full Story

HEALTHCARE PRIVACY—U.S.

OCR To Begin HIPAA Audits This Month (November 9, 2011)

The HHS Office for Civil Rights (OCR) will begin HIPAA audits on covered entities this month, Health Data Management reports. KPMG has been contracted to conduct the audits--at least 150 by the end of next year--on HIPAA's privacy, security and breach notification rules. The OCR has said an initial 20 audits will act as a test run to determine how future assessments will be conducted. Entities will be notified of an impending audit in writing 30 to 90 days prior, but the OCR has not yet indicated how it will select which firms to visit. Editor's Note: The IAPP will host a Web conference on "Enforcement Trends in Healthcare Privacy" this Thursday, November 10, from 1- 2:30 p.m. EST.
Full Story

PRIVACY LAW—CHINA

New Amendment, Legislation Address PII Protection (November 9, 2011)

Two separate acts of legislation have been passed in China to address the protection of citizens' personal information, Hunton & Williams' Privacy and Information Security Law Blog reports. An amendment to the Law of the People's Republic of China on Resident Identity Cards provides additional provisions to protect the personal data contained on the cards. The amendment requires agencies and organizations that process the identity card data to keep the information confidential. Violations of the act could result in possible criminal sanctions, imprisonment, fines or civil liabilities. Meanwhile, the Regulation of Information Technology of Jiangsu Province has been passed to address the collection and use of personal information and includes legal responsibilities for violations.   
Full Story

DATA PROTECTION—U.S.

Experts On Regulation: It’s “Just Good Business” (November 9, 2011)

A Financial Times report offers experts' takes on how to handle multiple--and changing--data protection regulations, noting that a Ponemon Institute study has placed the average cost of compliance at $3.5 million. One IT expert says companies should work to anticipate future legislation, while a PricewaterhouseCoopers consultant disagrees, saying early action once regulations are outlined is the solution. Both agree, however, that "Regulation is just good business." Brian Murray of 2e2 IT consultancy says one successful method involves building a "management framework that can cope with similar aspects of different regulations," adding, when new regulations come along, cost and time burdens for compliance are reduced for these businesses. (Registration may be required to access this story.)
Full Story

PRIVACY LAW

Multinationals Struggle To Comply With Varied Laws (November 9, 2011)

Describing online privacy as "an issue of central importance for businesses in every industry," Financial Times explores the efforts of policymakers to strengthen existing privacy laws and introduce new ones as Internet technologies evolve ahead of legislation. "The rules differ widely from country to country, with varying degrees of enforcement," the report states, noting that from the sectoral privacy regulations of the U.S. to those "stricter laws" in place in such countries as the UK, Germany and Canada, "the large and growing body of different national privacy regimes means that multinational businesses operating in many markets, face an increasingly difficult task in complying with them all." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Reding & Aigner: Stronger Rules Needed (November 8, 2011)
In a press release, EU Justice Commissioner Viviane Reding and German Federal Minister for Consumer Protection Ilse Aigner together called for a more robust data protection framework to protect EU consumers and keep pace with innovations like social networks and the cloud. Reding and Aigner said companies that "direct their services to European consumers should be subject to EU data protection laws." Companies--including social networks and cloud providers--that do not comply with the rules "should not be able to do business" in the EU, they added.

ONLINE PRIVACY—U.S.

Advertising Group Expanding Privacy Principles (November 8, 2011)

The Digital Advertising Alliance (DAA) has released new privacy principles to its Internet advertising industry program, Bloomberg reports. "Principles for Multi-Site Data" will prohibit participating companies from collecting Web users' Internet browsing history to determine eligibility for employment, credit, healthcare or insurance. DAA Managing Director Peter Kosmala, CIPP, said, "With the addition of these new principles, combined with the fast-growing adoption and online display of the Advertising Option Icon, the business community has taken another step to address concerns of policymakers regarding online data collection and use." Justin Brookman, director of the Center for Democracy & Technology's consumer privacy project, said, "This is definitely a step in the right direction.
Full Story

PRIVACY LAW—INDIA

Extended Provisions Could Hinder Privacy Bill (November 8, 2011)

As the Indian government looks toward expanding its proposed privacy law, it must decide how to handle existing provisions on lawful interceptions of communications. The privacy bill "aims to uphold the right of all Indians against any misuse of their personal information, interception of personal communication, unlawful surveillance and unwanted commercial communication," MINT reports, but its scope now stretches beyond data protection to areas governed by various ministries, which could create jurisdictional conflicts. In any case, one government official said, the new law "has to be comprehensive enough to address at least the basic privacy requirements." 
Full Story

DATA LOSS—U.S.

Patient Data Compromised in Two Breaches (November 8, 2011)

The UCLA Health System is notifying 16,288 patients that their personal information was compromised after a hard drive was stolen from a former employee's house. The Los Angeles Times reports that while the hard drive was encrypted, a piece of paper with the password to the information is also missing. The hard drive contained patients' names and some birth dates, addresses and medical record information, the report states. Meanwhile, the Lawrence Memorial Hospital in Kansas has announced that the financial information of about 10,000 of its patients may have been posted online for more than a month through an online payment service provider. KMBC reports the data may have included names, some contact information, healthcare provider and credit card information. 
Full Story

DATA LOSS—FINLAND

Police Publish List of Breach Victims (November 8, 2011)

The Finnish police have published the names and birthdates of about 16,000 people affected by a personal data breach on Facebook, Helsinki Times reports. The stolen data--taken from adult education institutions by a group identifying itself as Anonymous Finland--included names, addresses, telephone numbers, e-mail addresses and Social Security numbers. The communications minister has said some of the stolen data was not adequately protected. Anonymous Finland is making political demands and has hinted that it has other stolen data, the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

Report Considers Integration’s Privacy Implications (November 8, 2011)

With the line between healthcare providers and payers becoming increasingly blurred, an iHealthBeat report questions whether privacy issues will stand in the way of both joining forces "for a coordinated, high-quality, efficient healthcare system." Acknowledging that healthcare providers and payers "use and disclose protected health information (PHI) differently, and the potential benefits to having access to such PHI are drastically different between the two," the authors examine the HIPAA Privacy Rule and conclude it "does a fairly good job of addressing the payer-provider integrated delivery and financing system," predicting that privacy will not become "a significant impediment to their success."
Full Story

PRIVACY LAW—U.S.

Supreme Court To Consider Surveillance Case (November 7, 2011)
The Wall Street Journal reports on a case before the Supreme Court to determine whether law enforcement officials need warrants to attach GPS devices to suspects' vehicles. The case, which is scheduled to be heard Tuesday, "asks what privacy expectations are reasonable in an era when Americans surround themselves with digital devices that constantly log their movements in computer databases," the report states. (Registration may be required to access this story.)

DATA LOSS—CANADA

CRA Employee Loses Tax Data on 2,700 (November 7, 2011)

Privacy Commissioner Jennifer Stoddart is asking why she was never informed of a 2006 Canada Revenue Agency (CRA) data breach in which an employee copied the tax records of almost 2,700 citizens to CDs--and allowed a portion of those to be downloaded to a friend's laptop, reports CTV. During a 2008 grievance hearing against CRA, the employee produced the CDs and asked the panel to read an e-mail saved to one of them, triggering an investigation into the data security practices of the organization. While the disks have been recovered, the laptop is still missing. The CRA says the investigation shows the data was deleted from the laptop "in such a way that an average user could not access through a normal operating system."
Full Story

DATA LOSS—FINLAND

Personal Data of 16,000 Leaked Online (November 7, 2011)

Finland's communications authority, Ficora, is telling more than 16,000 victims of a data breach to be aware of online predators after their personal information was leaked on a file-sharing website, YLE.fi reports. Compromised information includes Social Security numbers, addresses, telephone numbers and e-mail addresses. A data security expert says he believes the incident may have been caused by careless handling of data. The National Bureau of Investigation has launched a criminal probe into the incident, the report states.  
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Pilgrim: E-Health Regs Need Clarity, Consistency (November 7, 2011)

Australian Privacy Commissioner Timothy Pilgrim has submitted comments to the government's draft legislation for personally controlled e-health records (PCEHR), noting, "Individuals have an interest in clear and consistent privacy protections applying to health information in the PCEHR system, irrespective of where a person accesses it and how that person subsequently stores it." The Australian reports that Pilgrim outlined 22 changes and clarifications and is calling for stronger powers for the information commissioner to audit the system operator and investigate and manage complaints. The New South Wales Council for Civil Liberties is focusing on patients' ability to access and control their records, while the Australian Private Hospitals Association is urging the government to make sure all issues are addressed before launching the system. (Registration may be required to access this story.)
Full Story

DATA LOSS

Company Takes Down Websites After Breach (November 7, 2011)

Adidas has taken down some of its websites after it learned of a "sophisticated, criminal cyber attack" last week, The Inquirer reports. The company has said it does not believe consumer data was compromised, but as a precaution, it took the sites offline while it conducted a "thorough forensic review." The company has implemented more security measures and said, "nothing is more important to us than the privacy and security of our consumers' personal data." 
Full Story

PRIVACY LAW—SWEDEN

Complaints Say Site Violates Privacy (November 7, 2011)

The Local reports that a new, non-government website is generating complaints because it contains personal information of convicted criminals. Users of the site are able to perform geographic searches as well as find out the names, contact information, personal identity numbers and court rulings of the offenders, the report states. The country's data protection laws prohibit "anyone other than a public agency to handle personal information about violations of the law which include crimes." A representative from Sweden's Data Protection Board says the agency has received complaints about the site but has yet to conduct a detailed investigation.
Full Story

HEALTHCARE PRIVACY—U.S.

Pharmaceuticals Plan To Pay for Patient Data (November 4, 2011)
Businessweek reports on the Partnership to Advance Clinical Electronic Research (PACeR), one of an array of programs created across the U.S. "as medical providers, software vendors and health data businesses seek ways to profit" from electronic health data. While federal law does not allow providers and insurers to disclose patients' identifying information, the report notes that drug companies can pay PACeR "to query the records systems of participating hospitals to compile a list of patients who match a trial's requirements" and, once gaining required approvals, access personal information with patient consent.

PRIVACY LAW—FRANCE

CNIL Releases Cookie Guidance (November 4, 2011)

The French Data Protection Authority (CNIL) has released guidance through its website addressing the EU Directive 2009/136/EC and the use of cookies by online companies. In this Daily Dashboard exclusive, Bird & Bird Associate Gabriel Voisin explores the key elements of the recently released guidance, including how the term "cookie" will be interpreted, which types of cookies do not require prior consent, ways to obtain user consent, the CNIL's position on advertising industry initiatives and the risks of not complying with the new rules. Editor's Note: Visit the IAPP Knowledge Center for a comprehensive look at the status of EU member states' implementation of the ePrivacy Directive.
Full Story

HEALTHCARE PRIVACY—U.S.

ONC To Launch Survey, Education Campaign (November 4, 2011)

iHealthBeat reports that the Office of the National Coordinator for Health IT (ONC) is launching campaigns to gather public opinion and educate people about the privacy and security of electronic health records (EHRs) and health information exchanges. The ONC will pretest its opinion gathering initiative with a 100-person survey and is planning to question 2,000 people yearly for five years on concerns about unauthorized access and sharing of EHRs. The two-year educational campaign will use information collected from focus groups, interviews and surveys in the first phase to guide the development of educational materials and messaging.
Full Story

TRAVELERS’ PRIVACY—AUSTRALIA & EU

Passenger Data Audits Irregular (November 4, 2011)

The Australian government has signed a revised Passenger Name Record agreement with the EU, which will allow the Australian Customs Service to retain passenger data for nearly six years to combat crime. Customs is required to audit its privacy protections to ensure compliance with the Privacy Act, but an Office of the Australian Information Commissioner report indicates that no such audits were conducted last year, The Australian reports. The most recent audit was conducted in 2009 but was not published. The team that conducted the audit said the agency's practices were generally compliant with the Privacy Act but added that a number of "best practice" recommendations were made. (Registration may be required to access this story.)
Full Story

INFORMATION ACCESS—U.S.

Court Grants Access to Pension Data (November 4, 2011)

New Hampshire's Supreme Court has ruled that the public has a right to know the names and payment amounts of the state's top 500 pension earners. The Union Leader sued the NH Retirement System (NHRS) under the state's Right-to-Know Law, the Nashua Telegraph reports. "We have determined that retirees have a privacy interest in their names and benefit amounts, but that interest is comparable to public employees' privacy interest in their names and salaries," Associate Justice Gary Hicks wrote in the court's decision, adding, "The public has an interest both in knowing how public funds are spent and in uncovering corruption and error in the administration of NHRS."
Full Story

PRIVACY LAW—U.S.

Court Dismisses “Friend Finder” Lawsuit Again (November 4, 2011)

A California court has dismissed a complaint claiming that Facebook used members' names and profile pictures to promote its "Friend Finder" feature without consent--amounting to an unauthorized endorsement, reports ZDNet. The judge ruled against the plaintiffs, saying Facebook's actions did not cause financial loss to the users and only displayed the information to existing Facebook friends, therefore causing no cognizable harm. According to Hunton & Williams' Privacy and Information Security Law Blog, when this case was originally dismissed in June, Facebook argued that by agreeing to the terms and conditions of the site, users' had consented to this type of use. The court declined to decide that matter when it dismissed the case.
Full Story

DATA LOSS—UK

MP Apologizes for Privacy Breach (November 4, 2011)

Business Secretary Vince Cable has apologized for inappropriately disposing of unshredded documents and letters that contained personal information of constituents, The Telegraph reports. Cable admitted that it was an "unacceptable breach of privacy" and has taken "full responsibility" for the incident. The Information Commissioner's Office (ICO) has confirmed that they have been notified by Cable and will look into the matter. Cable could face a fine of up to £500,000 by the ICO, the report states. 
Full Story

PRIVACY LAW—U.S.

Expert: COPPA Should Be Changed (November 3, 2011)
Earlier this week, researchers released a report concluding that the efficacy of the Children's Online Privacy Protection Act (COPPA) is in question because parents may be unknowingly complicit in circumventing the law when helping children lie about their age for the purposes of opening Facebook profiles. The Daily Dashboard caught up with one of the report's authors to find out her perspectives on the study.

BEHAVIORAL TARGETING

Google Releases Opt-Out Feature for Users (November 3, 2011)

Google has released a new feature to explain why Google search and Gmail users have been targeted by advertisements and allow them to opt out of such ads from future search page results, reports The Wall Street Journal. "Why These Ads" is an effort to increase company transparency when it comes to behavioral advertising, the company's senior vice president of advertising wrote in a blog post. "Because ads should be just as useful as any other information on the Web, we try to make them as relevant as possible for you. Over the coming weeks, we're making improvements to provide greater transparency and choice regarding the ads you see on Google search and Gmail," the blog states. (Registration may be required to access this story.)  
Full Story

PRIVACY LAW—GERMANY

DPA Says Site May Be Illegally Tracking Users (November 3, 2011)

The New York Times reports that Hamburg's data protection authority has said that Facebook may be illegally tracking subscribers through the use of cookies, even after a user deletes an account. After an investigation into the way cookies are installed after an account is created and deleted, Data Protection Commissioner Johannes Caspar said, "The probe raises the suspicion that Facebook is creating user tracking profiles." Such profiles would be illegal if a user was not alerted, according to the report. "Arguments that all users have to remain recognizable after they leave Facebook to guarantee the service's security can't stand up," Caspar said. A Facebook statement says the company is seeking an "open channel of communication" with Caspar, while another statement adds that it "does not track users across the Web." (Registration may be required to access this story.) 
Full Story

PRIVACY LAW—U.S.

Data Breach Legislation “Stalled” (November 3, 2011)

POLITICO reports that the Senate Commerce Committee is "still at the drawing board" on data breach legislation efforts. While there has been some progress, the report suggests that "disagreements about the bill's scope and application have been pervasive enough that the committee decided against marking up the data security proposal at an executive session Wednesday" and are looking at a December markup instead. House Energy and Commerce Committee members also "continue to squabble over data security," the report states. Meanwhile, Inc. reports on the implications of potential online tracking legislation for small businesses. 
Full Story

DATA PROTECTION—U.S.

Experts: Rise in Litigation Means Contracts Are Key (November 3, 2011)

According to a recent study, 53 percent of Americans say they would take legal action against an organization that loses their personal information. While litigation has become seemingly more common in breach cases, "they've been notoriously unsuccessful," says one DC attorney. But a recent court ruling stating that consumers' proactive measures to protect themselves could constitute financial damages shows that things may be changing. David Navetta, CIPP, of the Information Law Group predicts, "protections in the service provider contracts are going to become very important." InformationWeek points to recent lawsuits in the millions of dollars waged against Stanford Hospital and the Department of Defense as evidence for the importance of contract language with third-party service providers. Editor's Note: Read the most recent edition of Inside 1 to 1: PRIVACY for expert insights on how to avoid becoming a target of FTC enforcement or legal action. 
Full Story

ONLINE PRIVACY

IAB Issues Guide on Data Uses (November 3, 2011)

The Interactive Advertising Bureau (IAB) has published a new guide to help media planners, publishers and data providers communicate about their data uses, MediaPost News reports. The "Data Segments and Techniques Lexicon" aims to give "relevant parties a common set of terms and collection methods around the use of data to create audience segments for online campaigns," the report states. The guide provides instruction on the use of data for behavioral targeting; defines terms such as first- and third-parties, and clarifies various categories of user data, such as "inferred," "predictive" and "descriptive" data.  
Full Story

SOCIAL NETWORKING

Impending “Timeline” Release Elicits Concerns (November 3, 2011)

USA TODAY reports on Facebook's impending overhaul of its members' profile pages with the unveiling of its new "Timeline" feature. The feature will display members' history on Facebook comprehensively, which has drawn criticism from privacy advocates. "Things, over time, get harder to find, and that is sometimes a good thing," said Marc Rotenberg of the Electronic Privacy Information Center (EPIC). In letters to the Federal Trade Commission, EPIC has voiced concerns that Facebook should "honor its past commitment to privacy settings," the report states. Facebook says users will have five days to hide aspects of their profiles that they don't want as part of their history. 
Full Story

Social media, parental consent and changing COPPA: A Q & A with danah boyd (November 3, 2011)
Earlier this week, researchers released a report concluding that the efficacy of the Children’s Online Privacy Protection Act (COPPA) is in question because parents may be unknowingly complicit in circumventing the law when helping children lie about their age for the purposes of opening Facebook profiles.

PRIVACY LAW—U.S.

Report: COPPA Inefficacious, New Solution Needed (November 2, 2011)
A recently released report suggests that parents are often complicit in helping their children lie about their age to gain access to online sites. "Why parents help their children lie to Facebook about age: Unintended consequences of the Children's Online Privacy Protection Act (COPPA)" surveyed more than 1,000 parents and guardians of children aged 10 to 14 to find out if they knew their children were on Facebook. Most of the parents did not know why the site had a minimum age requirement and were unfamiliar with COPPA.

PRIVACY LAW—U.S.

EPIC Files FTC Complaint on Data Collection (November 2, 2011)

The Electronic Privacy Information Center (EPIC) says that Verizon Wireless' recent inclusion of increasing amounts of consumer data in marketing reports is unfair and deceptive, MediaPost News reports. EPIC has filed a complaint with the Federal Trade Commission (FTC) stating that after consumers entered into long-term contracts with Verizon Wireless, "the company changed its data use and disclosure practices, making the personal information of its customers more widely available to others." Verizon is disputing EPIC's claims, however. EPIC is asking the FTC to investigate and require Verizon to obtain customers' opt-in consent. Editor's Note: Read more on the topic of data collection in "Lawmakers Discuss Behavioral Advertising, Consumer Choice."
Full Story

PRIVACY LAW—CANADA

Stoddart: Some Gun Registry Data Sharing Allowed (November 2, 2011)

Despite the New Democratic Party's (NDP) claims that the long-gun registry violates privacy laws, Privacy Commissioner Jennifer Stoddart said nothing in the Privacy Act prevents the federal government from sharing personal information via the Canada Firearms Registry with provincial governments, the Toronto Star reports. "In appropriate circumstances, an information-sharing agreement or arrangement put in place for the purpose of administering or enforcing any law could assist to ensure any transfer of personal data was in conformity with the Privacy Act," Stoddart wrote in a letter to the NDP. Quebec had requested the data to start up its own registry, but the government would not allow it.  
Full Story

SURVEILLANCE—EU

Employee Surveillance on the Rise (November 2, 2011)

Al Jazeera reports on the prevalence of employee monitoring via surveillance software. With the right software, employers can intercept employee e-mails sent from personal e-mail accounts, the report states. For example, 40 percent of large companies operating in Romania use software to intercept and track information, according to IT security firm Netsec. Employees should be aware of this, said a Netsec executive, adding that "IT monitoring tools are used by some employers for personal rather than professional goals." Germany, meanwhile, is considering a federal law that would require employers planning to monitor employee communications to gain only employee consent and not that of unions and labor courts, as they are currently required to do.
Full Story

PRIVACY LAW—EU

Judge To Hear Argument That Act Violates Directives (November 2, 2011)

A UK judge has said that BT and TalkTalk's argument that the UK's Digital Economy Act (DEA) violates EU laws on liability for communications made over the Internet may be successful, Out-Law.com reports. Though BT and TalkTalk lost a High Court challenge earlier this year, a judge says he will hear an argument that the act may breach the Privacy and Electronic Communications Directive and the Data Protection Directive, among other laws. The ISPs' appeal has been found to be "justified because the opinion of the judge who ruled on the legality of the processing in April differed from that of the EU's privacy watchdog, the European Data Protection Supervisor," the report states. 
Full Story

PRIVACY LAW

Expert: Global Harmonization Needed for Cloud (November 2, 2011)

In an interview with BankInfoSecurity, Internet security expert Alastair MacWillson says that inconsistent data protection laws in various markets are proving to be a difficult challenge for large organizations using cloud-based services. "Much like any innovation," he says, "it takes a lot of people to talk about the opportunities and also the risks, and it takes a little bit longer for the technology guys to catch up." MacWillson discusses the interstate and international challenges organizations face, advantages provided by the cloud for cross-border security risk management and finding a balance between the risks and advantages of using the cloud.
Full Story

PRIVACY LAW—U.S.

Lawyers Seek Delay in Tracking Suit (November 2, 2011)

Both sides of a lawsuit over Facebook's alleged tracking of users' online activities are asking for a delay while the Panel on Multidistrict Litigation decides whether the suit should be consolidated with a similar California case, The Associated Press reports. The class-action suit, filed by a Kansas man, is one of several in the U.S. alleging that Facebook--without consent--tracked users' online behavior while they were logged out of the site. The judiciary panel in Miami is expected to hear the request on January 26, the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Line Between Research, Privacy Blurred (November 2, 2011)

In a piece for Healthcare IT News, Jeff Rowe writes about balancing patients' privacy with research needs, noting that as "digitized health information will be more readily available for doctors, patients and researchers alike...it can be used in the effort to improve healthcare quality and efficiency." But, he cautions, there is not yet a clear line between privacy rights and what he describes as the "as yet ill-defined 'obligation to contribute' to ongoing research efforts," adding that question lies "just beneath the surface of the recent effort by policymakers to develop effective guidelines for when and how patient health data can be used by researchers." 
Full Story

SURVEILLANCE—UK

Police Tracking Technology Spurs Privacy Fears (November 1, 2011)
ZDNet reports on the discovery that the London Metropolitan Police possesses military-grade technology that can track cell phone users, intercept text messages and calls and remotely shut down service. The technology is portable for tracking users on the move but can also be set up in a fixed location for tracking data in a specific area. A representative from the Electronic Frontier Foundation said, "The problem with this kind of technology is that it means that the police and law enforcement do not have to go through a cell phone provider to gain access to information that can be obtained via someone's cell phone." Meanwhile, a representative from Big Brother Watch said, "Such invasive surveillance must be tightly regulated, authorized at the highest level and only used in the most serious investigations."

BEHAVIORAL TARGETING

Report: Opt-Out Tools Not User Friendly (November 1, 2011)

A new report issued by researchers at Carnegie Mellon University says that online opt-out tools and cookie-blocking mechanisms are difficult for individuals to understand and use, MediaPost News reports. In "Why Johnny Can't Opt Out," researchers asked 45 users to test various opt-out tools and Web browser mechanisms. The reports states, "Our results suggest that the current approach for advertising industry self-regulation through opt-out mechanisms is fundamentally flawed." Carnegie Mellon Cylab Usable Privacy and Security Laboratory Director Lorrie Cranor said, "A lot of effort is being put into creating these tools to help consumers, but it will all be wasted--and people will be left vulnerable--unless a greater emphasis is placed on usability." An Interactive Advertising Bureau representative has disputed the report's results. 
Full Story

PRIVACY LAW—EU & AUSTRALIA

Government Signs Passenger Data Agreement (November 1, 2011)

The Australian reports that the government has signed a revised Passenger Name Record agreement with the EU. The European Parliament approved the agreement last week to permit the Australian Customs Service to retain data transferred from air carriers--including passport numbers and credit card details--for a maximum of 5.5 years for the purpose of detecting and combating crime. The agreement has elicited privacy concerns including from the Australian Privacy Foundation, which said the agreement intrudes on passengers' personal affairs without their knowledge and consent and proper safeguards have not been demonstrated. The agreement allows for six agencies besides customs to share the data.
Full Story

HEALTHCARE PRIVACY—U.S.

Missing Equipment Puts Patients At Risk (November 1, 2011)

More than $1 million in medical equipment storing sensitive patient information has been reported missing from a Florida hospital, FierceHealthcare reports. The items stolen from James A. Haley VA Hospital include laptops, an encrypted thumb drive containing patient information, microscopes and cameras used to take pictures of breast cancer surgeries. The camera also contained Social Security numbers. The Government Accountability Office says a lack of inventory may be to blame. "We've had these kinds of problems before, and it boils down to either this is theft or it's messed up records or it's both, and it's got to stop," said Sen. Bill Nelson (D-FL).
Full Story

The IAPP web conference Enforcement Trends in Healthcare Privacy on November 10 will explore trends in this area, including who’s taking enforcement actions and what the future may hold.

PERSONAL PRIVACY—AUSTRALIA

Arson Database Inflames Privacy Concerns (November 1, 2011)

Attorney General Robert McClelland announced, on Monday, that a national arson database is up and running, causing civil liberties groups to criticize the office's consultation practices, reports IT Wire. The National Arson Notification Capability adds warning flags to records in the National Police Reference System. It was originally proposed by a forum of police, fire and rescue representatives after fires broke out in Victoria in 2009. Australia Privacy Forum Chair Roger Clarke says while arson is a serious problem, questions remain about how the database will operate, what qualifies a citizen for registry in it, who will have access to it and how citizens get access to their records.
Full Story

DATA LOSS—HONG KONG

Department Finds Missing Data (November 1, 2011)

The Hong Kong Labour Department has announced that it has located personal data that went missing last week, 7th Space reports. An envelope containing the personal information of 56 individuals applying for employees' compensation was found in Tuen Mun Hospital still sealed and intact. The department said it would continue its investigation into the incident and has improved dispatch operations with hospitals. 
Full Story

SOCIAL NETWORKING—U.S.

Lawmakers Question Site’s Data Collection Practices (October 31, 2011)
In a letter addressed to Facebook CEO Mark Zuckerberg, four lawmakers are questioning how the company handles user data, The Hill reports. Reps. Joe Barton (R-TX), Ed Markey (D-MA), Marsha Blackburn (R-TN) and Carolyn Maloney (D-NY) have asked the company to describe what personally identifiable information it collects, how it stores the data and whether the data is deleted upon a user's request. Citing reports of an Austrian consumer's request for his user data, the lawmakers said, "We are concerned that although the user was under the impression that this information was deleted at the user's request, Facebook continued to retain the information." Meanwhile, Facebook is investigating whether an influence-measuring site violated Facebook's privacy policies.

HEALTHCARE PRIVACY—U.S. & CANADA

Technology Improves Care, But May Risk Privacy (October 31, 2011)

U.S. doctors have found it useful to text each other for rapid communication, but those who do may expose themselves to privacy and security violations under the Health Insurance Portability and Accountability Act, American Medical News reports. One attorney recommends physicians check to see if their smartphones are capable of encryption, autolock and remote wiping--in case the phone is ever stolen. Meanwhile, in Canada, BC's health minister and Vancouver Coastal Health say a breach that occurred when a laptop was stolen at a Toronto airport could happen again because so many healthcare employees use portable devices.
Full Story

ONLINE PRIVACY—CHINA

Gov’t Says Public WiFi Will Be Secure (October 31, 2011)

Three national telecom companies are developing a public WiFi network in Beijing. Expected to launch before the end of the year, the "My Beijing" network will be free during its initial three years, but some are concerned that the service will allow government access to personal information, reports The Next Web. Users will be authenticated by providing their cell phone number, and some say this will risk the privacy of Web browsing history and allow numbers to be recorded and sold to marketing companies. Government officials "insist that the phone number requirement is without ulterior motive," the report states.
Full Story

PRIVACY LAW—AUSTRALIA

APF Raises Concerns About e-Health Legislation (October 31, 2011)

Australian Privacy Foundation (APF) Chairwoman Juanita Fernando says the draft laws underpinning the operation of the government's e-health record system contain a loophole that allows authorities to conclude that a data breach was "not deliberate," reports The Australian. "Under this legislation, no government and no employee can be sued or prosecuted for any harm or damage arising from a breach," Fernando says. In addition to removing the loophole, Fernando says, "we ask for penalties to be provided in the context of unintentional breaches of community information." According to the report, the penalties should include compensation, the opportunity for class-action lawsuits and steps to mitigate future breaches. Fernando also says that the bills do not cover new technologies like cloud computing and mobile devices.
Full Story

PRIVACY LAW—CANADA

Opinion: “Lawful Access” Legislation Is Surveillance (October 31, 2011)

In a National Post op-ed, Ontario Information and Privacy Commissioner Ann Cavoukian contends that the re-introduction of three federal lawful access bills, C-50, C-51 and C-52, would create "a system of expanded surveillance," adding, "I have no doubt that, collectively, the legislation will substantially diminish the privacy rights of Ontarians and Canadians as a whole." She warns that Canadians "must be extremely careful not to allow the admitted investigative needs of police forces to interfere with or violate our constitutional right to be secure from unreasonable state surveillance." Cavoukian urges the government to redraft the bills. "The government needs to step back and consider all of these implications." 
Full Story

DATA PROTECTION

Browser Found To Have Privacy Flaw (October 31, 2011)

Recent versions of a third-party Web browser reportedly have been found to have a privacy flaw, reports Ars Technica. The Android Police blog has reported that a breach of privacy occurs when every URL loaded in Dolphin HD is relayed as plain text to a remote server, the report states. Dolphin HD has released a statement explaining that when the URL is relayed, data is not collected or retained and says it has updated the browser to disable the feature and that it will be opt-in in the future.
Full Story

PRIVACY

Opinion: Privacy Is Gone…Isn’t It? (October 31, 2011)

CEOs have been telling the public since as far back as 1999 that it has "zero privacy anyway. Get over it." And they are right, opines Mike Francis for The Oregonian. The ascendance of major data brokers has played a significant role in privacy's erosion, Francis writes, with profits to be made from the packaging and reselling of data. People are being tracked by everyone from their doctor's office, to law enforcement agencies and retailers. "Even as you sleep, your household is part of a smart grid of energy supply and demand," he writes. On the contrary, Jason Lewis opines for the Minneapolis StarTribune that U.S. courts have become hypersensitive to privacy rights recently.      
Full Story