Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

EPIC and FTC Face Off in Court (February 29, 2012)
The Electronic Privacy Information Center (EPIC) and the Federal Trade Commission (FTC) "are going toe-to-toe in court" ahead of Google's implementation of its new privacy policies, ZDNet reports. EPIC filed a legal challenge earlier this month claiming Google's new privacy policy would violate the company's settlement with the FTC, but a judge dismissed the suit last week. Monday, EPIC filed an emergency appeal asking the court to overturn the ruling. The Department of Justice, representing the FTC, filed an opposition on Tuesday to the Court of Appeals. Meanwhile, French data protection authority, the CNIL, has stated Google's new policy violates European data protection law, and U.S. legislator Mary Bono Mack (R-CA) has announced a privacy hearing in which Google is likely to participate.

MOBILE PRIVACY

Loophole Exposes Access to Photos (February 29, 2012)

The New York Times reports on a loophole in Apple's mobile devices that allows developers to copy a user's photo library without warning or notification after a user consents to allowing access to location information in photos. Though it is not clear if the company illicitly copies user photos, one app developer said, "Conceivably, an app with access to location data could put together a history of where the user has been based on photo location." The data could then be uploaded to a server and, "Once the data is off of the iOS device, Apple has virtually no ability to monitor or limit its use." A representative from the Electronic Privacy Information Center said the company "has a tremendous responsibility as the gatekeeper to the app store...Apple and app makers should be making sure people understand what they are consenting to." (Registration may be required to access this story.)
Full Story

PRIVACY LAW

ABA to Courts: Consider Foreign Privacy Laws (February 29, 2012)

The American Bar Association (ABA) House of Delegates has adopted a nonbinding resolution asking courts to consider foreign data protection laws when resolving legal issues, the Hunton & Williams Privacy and Information Security Law Blog reports. In the text of its resolution, the ABA recommends that, "where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation."
Full Story

PRIVACY LAW—U.S.

Court: Patients Can’t Sue for Damages (February 29, 2012)

Oregon's Supreme Court has upheld the dismissal of a lawsuit seeking compensation for tens of thousands of people whose personal records were stolen from a healthcare provider, Oregon Live reports. A thief broke into a van parked at the home of an employee of Providence Health & Services in 2006 and stole medical information--including Social Security numbers--on some 365,000 people prompting federal and state investigations. However, the civil lawsuit "failed to substantiate a negligence claim" the report states, because it did not prove the stolen data was viewed or used by a third party. Meanwhile, the personal information of nearly 1,200 veterans was discovered unattended at a medical center in Kentucky last month.
Full Story

DATA PROTECTION

Suspected Hacktivists Arrested Worldwide (February 29, 2012)

In a sweep conducted by Interpol's Latin American Working Group of Experts on Information Technology Crime, 25 suspected members of the hacker group Anonymous were arrested in Argentina, Columbia and Spain, reports The Telegraph. The arrestees are suspected of planning attacks against Columbia's Defense Ministry, Chile's Endesa electricity company and others. Interpol began its investigation in mid-February and has seized 250 pieces of IT equipment from 40 locations in 15 cities, the report states.
Full Story

SURVEILLANCE—U.S.

Groups, Public Petition FAA Over Drone Use (February 29, 2012)

The signing of a Federal Aviation Administration (FAA) reauthorization bill including provisions that would increase the use of drones by public and private entities has prompted privacy advocates and the public to petition the FAA to address privacy threats associated with the practice, reports Government Security News. "The privacy threat posed by the deployment of drone aircraft in the United States is great. The public should be given the opportunity to comment on this development," says the petition, signed by more than 100 parties including the Electronic Privacy Information Center.
Full Story

PRIVACY LAW—FRANCE & U.S.

CNIL Reveals Early Analysis Results, Reiterates Call To Halt Policy Changes (February 28, 2012)
In a letter to Google CEO Larry Page, the French data protection authority (CNIL) says its preliminary investigation indicates that Google's new privacy policy does not meet the requirements of the European Directive on Data Protection. Dated February 27, the letter states that the company should have informed authorities prior to announcing the change, and asks, for a second time, that the company halt its plans for the new policy to take effect March 1. CNIL's preliminary investigation also shows it will be difficult for users--including trained privacy professionals--to decipher how their data is used, the letter states. Meanwhile, advocates have asked the UK's information commissioner to investigate, and U.S. Federal Trade Commission Chairman Jon Leibowitz recently voiced concerns.

PRIVACY LAW—U.S. & EU

DOC’s Kerry Discusses White House Framework (February 28, 2012)

The success of the White House's recently released framework for its privacy bill of rights will depend in part on allowing businesses and regulators to take the lead and on consumer education, said Department of Commerce General Counsel Cameron Kerry from Brussels this week. The plan is slightly different from the European Commission's top-down approach, reports Dow Jones Newswire. However, "This is not simply self-regulation," Kerry said, "we are, like the commission, proposing legislation and trying to get that adopted. This code of conduct will be legally enforceable by the Federal Trade Commission." The U.S. looks forward to working with the EU on interoperability, Kerry said. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—U.S.

Regulators Scrutinize Payment Card Security (February 28, 2012)

BankInfoSecurity reports on increased scrutiny by federal regulators of consumer financial data connected with payment cards and online accounts. The Independent Community Bankers Association's Cary Whaley says institutions are being asked by regulators to show precisely how financial data is being protected. The Federal Deposit Insurance Corporation recently released guidance for third-party payment processor oversight, and the Federal Financial Institutions Examination Council updated online authentication guidance. Though regulators cannot enforce the Payment Card Industry Data Security Standard, according to the report, they may reference the industry standard when examining financial institutions' overall security.
Full Story

BEHAVIORAL TARGETING

A Look Into the Burgeoning Ad Industry (February 28, 2012)

NPR reports on the online advertising industry through the lens of a new book by Joseph Turow. In The Daily You: How the New Advertising Industry is Defining Your Identity and Your Worth, Turow says that though online tracking is ubiquitous, advertisers are still at the beginning stages of tracking consumers and are attempting to connect what consumers do online with what they do on their mobile devices--and eventually television. According to Turow, "We're at the beginning of this new world...It's like the beginning of the airplane industry. Things screw up, and yet we have to look down the line because we're going to have Boeing 747s down the way."
Full Story

DATA PROTECTION

Study: Privacy and Security Officers Needed (February 28, 2012)

The Sydney Morning Herald reports on a Carnegie Mellon CyLab survey that found companies need both a chief information officer and a chief security officer to adequately protect their data. According to Jody Westby of Carnegie Mellon, 70 percent of senior executives "rarely, never or only occasionally review and approve security and privacy policies...and 59 percent rarely, occasionally or never receive regular reports from IT management." While the number of organizations with a dedicated risk management team has gone up from eight percent to 46 percent in the past two years, just 13 percent of companies employ a privacy officer. "It's no wonder there are so many breaches," says Westby. "Privacy, security and cybercrime are three legs of the same stool. They have to think of them as inter-related."
Full Story

MOBILE PRIVACY

GSMA Publishes App Guidelines (February 28, 2012)

In the wake of recent mobile app privacy concerns, the GSMA has published a set of guidelines to give users "more transparency, choice and control over how apps use their personal information," IDG News reports. GSMA Director General Anne Bouverot described the guidelines as "an important first step," calling for "close collaboration between the mobile industry, Internet industry, civil society and regulators." A privacy officer from one of the mobile companies that has signed on to implement the guidelines noted, "In order to maintain the strong growth in both the sales and popularity of mobile apps, customers need to be confident that their privacy is protected when they use them."
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Advocate’s Legal Challenge (February 27, 2012)
Ruling that it does not have the authority to order the Federal Trade Commission (FTC) to take enforcement actions, a federal judge has dismissed a legal challenge to Google's new privacy policy brought by the Electronic Privacy Information Center (EPIC), Bloomberg reports. Earlier this month, EPIC filed the legal challenge claiming the new privacy policy would violate Google's settlement with the FTC. U.S. District Judge Amy Berman Jackson said, "EPIC--along with many other individuals and organizations--has advanced serious concerns that may well be legitimate...The FTC, which has advised the court that the matter is under review, may ultimately decide to institute an enforcement action." EPIC Executive Director Marc Rotenberg said, "The judge did not reach the merits of the EPIC complaint," adding that his organization is appealing the decision and will ask Rep. Mary Bono Mack (R-CA) to hold a public hearing on the issue.

BEHAVIORAL TARGETING—U.S.

DNT Would Alter, Not Stop Web Tracking (February 27, 2012)

The New York Times reports on last week's agreement by the online advertising industry to support a do-not-track mechanism and how that will affect online consumer data collection. "'Do Not Track' is a misnomer," says the Digital Advertising Alliance's Stu Ingis. "It's not an accurate depiction of what's going on...This is stopping some data collection, but it's not stopping all data collection." Under the new framework, browser vendors will provide a data collection opt-out in the settings, which will then send a communication about the opt-out to the companies collecting the data. Some privacy advocates say the deal does not go far enough to protect consumer privacy. Meanwhile, a representative from the Interactive Advertising Bureau said a high percentage of consumers opting out would have a "significant negative impact" on third-party advertising networks. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Proposes Default Encryption (February 27, 2012)

The Notice of Proposed Rulemaking (NPRM) for Stage 2 Meaningful Use proposes that mobile devices that retain patient data have default encryption enabled, reports InformationWeek. A Health and Human Services (HHS) study recently found that almost 40 percent of breaches involved lost or stolen devices. "It has become very clear that one of the major sources of breaches of data comes from lost or stolen devices, and you would not be reading about this loss of data had the information been encrypted," said HHS Office of the National Coordinator for Health IT Chief Privacy Officer Joy Pritts.
Full Story

MOBILE PRIVACY

For Privacy, Mobile Sphere Is “Wild West” (February 27, 2012)

In an IDG News Service report, Cameron Scott writes that when it comes to protecting privacy, "the rapidly growing mobile space is still the Wild West, with an almost endless landscape of privacy pitfalls that challenge even the most vigilant consumer." Spotlighting the amount of personal data collected on mobile phones, the report quotes Jules Polonetsky, CIPP/US, of the Future of Privacy Forum as stating that regarding privacy protection, "The industry tools don't even exist yet" and opting out is "nearly impossible." Meanwhile, a Daily Mail report explores privacy concerns spurred by the collection and use of personal information by free mobile apps.
Full Story

SOCIAL NETWORKING—U.S.

Report: Americans Becoming More Privacy-Savvy (February 27, 2012)

Americans are getting more privacy-savvy on social networks, according to a new report by the Pew Internet & American Life Project. The report found that people have increased their use of privacy settings on social networking sites, with 44 percent of respondents saying they deleted comments from their profile, compared with 36 percent who said the same in 2009. "Profile pruning" is also on the rise, the report found, with almost two-thirds of respondents saying they'd deleted friends, compared with 56 percent two years ago. The report also found that women are more privacy-conscious than men on the sites and that age doesn't play a role, the Associated Press reports.
Full Story

ONLINE PRIVACY—CANADA

Stoddart Raises Concerns Over Privacy Policy (February 27, 2012)

Federal Privacy Commissioner Jennifer Stoddart sent Google a letter last week asking the company to clearly disclose how it plans to keep users' personal information from different accounts separate, the Montreal Gazette reports. Stoddard said, "As we understand it, the policy changes do not mean that Google is collecting more information about its users than it currently does...They do, however, mean that you are going to be using the information in new ways--ways that may make some users uncomfortable." Stoddart also said the new policy needs to "more clearly explain its data retention and disposal policies."
Full Story

ONLINE PRIVACY—U.S.

Cranor on White House Proposal, Do-Not-Track Efforts (February 27, 2012)

In an interview on NPR's "Science Friday," Lorrie Cranor of Carnegie Mellon's Cylab Usable Privacy and Security Laboratory talks about the Obama administration's proposal for online privacy, the differences between privacy in regions around the world and the expectation of privacy online. Cranor says of the recently released Consumer Privacy Bill of Rights, "it's really good to see such high-level attention to online privacy and to see the administration articulate some of the fundamental privacy principles that a lot of us have been talking about for a long time." Cranor also says that while she believes it may be possible for the U.S. to adopt an EU-style privacy approach, it's "been a fairly unpopular idea among regulators and legislators in the U.S."
Full Story

ONLINE PRIVACY—U.S.

Lawmakers, Experts React to Privacy Plan (February 24, 2012)
The Hill reports on plans by Rep. Mary Bono Mack (R-CA) to hold a hearing next month on the administration's privacy blueprint. "Protecting consumer privacy online and preserving American innovation are not mutually exclusive," she said, adding, "any rush to judgment could have a chilling effect on our economy and potentially damage, if not cripple, online innovation." Sen. John Kerry (D-MA) says the Obama administration's "Privacy Bill of Rights" is an "important statement of priorities" and Congress should enact "common sense rules" for consumer protection.

PRIVACY LAW—EU & U.S.

Reding Addresses Legal Gray Area, Data Protection Reform (February 24, 2012)

U.S. authorities cannot override EU laws on data privacy, said EU Justice Commissioner Viviane Reding in a debate over whether U.S. laws and legal subpoenas could force EU companies to disclose personal data to U.S. law enforcement agencies, EUobserver reports. "Any processing of personal data in the EU has to respect the applicable EU data protection law," Reding said. Meanwhile, in a CNN feature published on Thursday--the day the U.S. government released a proposed consumer privacy bill or rights--Reding described the European Commission's proposed new framework on data protection, saying, "As Europe tackles reform, I hope these proposed rules will inspire other countries that are grappling with privacy issues, like the United States."
Full Story

ONLINE PRIVACY—U.S.

Do Not Track Excitement May Soon Be Tempered (February 24, 2012)

Excitement over announcements that Google and other Digital Advertising Alliance members will support do not track (DNT) technology may be tempered when the differences between what consumers expect and what industry is willing to give are realized, CNET News reports. Some experts say the announcement is industry's attempt to avoid World Wide Web Consortium (W3C) DNT standards, which have been in the works for some time. Carnegie Mellon's Lorrie Cranor is concerned that industry players are thinking more narrowly than consumers, and perhaps "we'll have a button that allows people to prevent targeted advertising but doesn't actually allow them to opt out of being tracked." Meanwhile, two U.S. legislators are pushing ahead with do-not-track legislation.
Full Story

GENETIC PRIVACY—U.S.

Court Approves DNA Collection from Arrestees (February 24, 2012)

A California appeals court has upheld a measure to take DNA samples from all adults arrested for a felony. Wired reports that an American Civil Liberties Union (ACLU) lawsuit challenged the constitutionality of the practice, but the appeals panel called DNA collection "substantially indistinguishable" from fingerprinting--a decision the ACLU and Judge William Fletcher disagree with. "Fingerprints may be taken from an arrestee in order to identify him--that is, to determine whether he is who he claims to be" not "solely for an investigative purpose," wrote Fletcher in his dissent. The ACLU agrees with Fletcher and also points out that through a DNA sample, much more than identity can be learned about a person.
Full Story

PRIVACY LAW—CHINA

China Privacy Rules Come Into Effect Next Month (February 24, 2012)

A Morrison Foerster client alert discusses legislative changes issued by China's Ministry of Industry and Information Technology (MIIT) on the collection, storage and use of personal information by Internet companies, effective March 15. MIIT issued Several Regulations on Standardizing Marker Order for Internet Information Services in December 2011, which "cast a relatively broad net," the report states, including prior consent requirements for collecting or sharing personal information, requirements for data storage and sanctions for misuse that include "rectification orders, warnings and penalties ranging from RMB10,000 to RMB30,000."
Full Story

SOCIAL NETWORKING—U.S.

Protester’s Posts Provoke Privacy Debate (February 24, 2012)

A case involving an Occupy Wall Street protester's Twitter posts has raised concerns among privacy advocates, the Associated Press reports. The Manhattan district attorney has subpoenaed Malcolm Harris's tweets over a three-and-a-half-month period because the posts may contradict Harris's defense in court, the report states. Assistant District Attorney Lee Langston wrote, "He has no proprietary or privacy interest in tweets that he broadcast to every person with access to the Internet." The subpoena reportedly asked Twitter not to disclose that it was sharing information with law enforcement, but the company told prosecutors that its policy is to disclose to users when their information is requested without a warrant or court order. A judge has not yet ruled on the case.
Full Story

ONLINE PRIVACY—U.S.

White House Releases “Consumer Privacy Bill of Rights” (February 23, 2012)
The Obama administration has today issued a set of guidelines to improve online consumer privacy while also ensuring the Internet remains a forum for economic growth, according to a White House press release. The administration has asked the Department of Commerce to work with industry, privacy advocates and other stakeholders to create and implement enforceable codes of conduct based on the White House guidelines. President Barack Obama said, "American consumers can't wait any longer for clear rules of the road that ensure their personal information is safe online," adding, "As the Internet evolves, consumer trust is essential for the continued growth of the digital economy. That's why an online privacy Bill of Rights is so important."

MOBILE PRIVACY—U.S.

California AG, Companies Reach App Privacy Deal (February 23, 2012)

California Attorney General Kamala Harris announced Wednesday that the state has reached a deal with several large tech companies to improve mobile app privacy protections on smartphones, The New York Times reports. The deal compels developers to include "conspicuous" privacy policies disclosing what personal information will be collected and how it will be used. App store providers will also be required to create an avenue for users to report apps that fail to comply. California would use its Unfair Competition Law and False Advertising Law to prosecute developers who fail to follow their privacy policies, the report states. In a statement, Harris said, "Your personal privacy should not be the cost of using mobile apps, but all too often it is." (Registration may be required to access this story.)  
Full Story

ONLINE PRIVACY—U.S.

Attorneys General Want a Meeting with Google (February 23, 2012)

The National Association of Attorneys General has criticized Google's new privacy policy for not giving consumers choices about pooling their data, BusinessWeek reports. The group wrote to Google Chief Executive Officer Larry Page to say that the policy will invade consumer privacy by collecting and combining data on its users across various Google products, forcing them to share their information "without giving them the proper ability to opt out." The letter was signed by 36 attorneys general, who also asked to meet with Page to discuss their concerns.
Full Story

ONLINE PRIVACY—U.S.

Experts React to Consumer Privacy Bill of Rights (February 23, 2012)

Following today's release of a consumer privacy whitepaper by the Obama administration, some privacy advocates, industry experts, privacy scholars and others have reacted to the news. Center for Democracy & Technology (CDT) President Leslie Harris said the CDT welcomes the White House's guidelines, adding, "The administration's call for a comprehensive privacy bill of rights comes at a pivotal time when there is a tremendous concern among consumers about their personal information." Intel Director of Security Policy and Global Privacy Officer David Hoffman, CIPP/US, said, "The administration's paper continues to recognize we are at a critical time in the development of computing where promoting an environment that allows for innovation is essential." Jim Harper, director of information policy studies at the Cato Institute, is skeptical. "We went over this a year ago," Harper writes, "when Sens. Kerry (D-MA) and McCain (R-AZ) introduced their 'privacy bill of rights.'"
Full Story

PRIVACY LAW—EU

Commission Refers ACTA to High Court (February 23, 2012)

The European Commission has asked the European Court of Justice to determine the legality of the Anti-Counterfeiting Trade Agreement (ACTA), PC Magazine reports. EU Commissioner Karel De Gucht has asked the court to clarify whether ACTA violates rights such as "freedom of expression and information or data protection and the right to property in case of intellectual property." Proposed in 2007 and first negotiated in June 2008, the agreement must still be ratified by the European Parliament. The U.S., Australia, Canada, Korea, Japan, New Zealand, Morocco, Singapore and 22 EU member states have signed the agreement to date. De Gucht said the review is "a needed step."
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

in ‘t Veld Recommends Rejecting PNR Deal (February 23, 2012)

Member of the European Parliament Sophie in 't Veld says  the passenger name records (PNR) agreement between the European Union and the U.S. fails to adequately protect passengers' personal information in records shared with U.S. authorities, reports the European Voice. European Commissioner for Home Affairs Cecilia Malmström, meanwhile, has lauded the agreement's "robust privacy safeguards" and warns that the U.S. administration is not likely to negotiate the terms--leaving airlines that comply with the PNR agreement unsure of whether they are complying with EU law. The European Parliament's civil liberties committee reviews the agreement on Monday, with a plenary vote scheduled for April. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

EC Responds to “Right To Be Forgotten” Concerns (February 23, 2012)

EU Justice Commissioner Viviane Reding has responded to concerns about the "right to be forgotten" provision in the new EU data protection framework, saying that the commission was clear in its expectations. "In principle, pure hosting services have no ownership and no responsibility for the content their users let them host...However, other information services, including social networking and search engines, may exercise control on the content, conditions and means of processing, thereby acting as data controllers. If and when this is the case, clearly they have to respect related data protection obligations," the commission wrote in a rebuttal letter sent to ZDNet UK. Google's Global Privacy Counsel Peter Fleischer wrote in a blog post that posters of information--not the companies running the platform--should be responsible for deleting the information.
Full Story

BEHAVIORAL TARGETING—U.S.

DAA Will Require Members To Honor Browser Settings (February 23, 2012)

General Counsel for the Digital Advertising Alliance (DAA) Stuart Ingis announced on Wednesday that the organization will require companies using its behavioral targeting icon to respect browser-based privacy settings, reports MediaPost. "The DAA will immediately begin work to add browser-based header signals to the set of tools by which consumers can express their preferences," Ingis said. Jon Leibowitz, chair of the Federal Trade Commission, is praising the decision, and Jules Polonetsky, CIPP/US, of the Future of Privacy Forum notes that a browser-based do-not-track system is "far more effective than cookies, because it doesn't get deleted when cookies get deleted." Editor's Note: Hear about emerging privacy issues in Congress during the session Legislative Update with Stuart Ingis at next month's IAPP Global Privacy Summit.
Full Story

DATA LOSS

Chat Site Disabled While Breach Is Investigated (February 23, 2012)

Users of an online chat service linked to an adult website have had their personal information compromised due to the failure of a third-party service provider to protect the data, The Washington Post reports. The chat site has been disabled and will remain so until an investigation is carried out, but its owners say the site was run by a third party and that there was no breach at the company itself. It has not been confirmed how many people were affected by the breach. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—U.S.

Babel: “Issues are Building Not Diminishing” (February 23, 2012)

Privacy missteps, like those making headlines of late, are not helping the online ad industry earn respect for its self-regulatory attempts, according to an AdWeek report. A Google incident hit the media just days after the Network Advertising Initiative (NAI) released its annual audit announcing that its members were in compliance with the NAI privacy code, the report states. This has some concerned that the goodwill the industry has built with the Federal Trade Commission may be at risk. "As an industry, we're taking steps forward and taking steps backward at the same time, and that's not doing anybody any good," said TRUSTe CEO Chris Babel.
Full Story

ONLINE PRIVACY—U.S.

White House To Host Online Privacy Meeting (February 22, 2012)
The Obama administration has invited stakeholders in the online privacy debate to the White House this Thursday to discuss upcoming steps for online consumer protection, POLITICO reports. The meeting presages the administration's online privacy whitepaper, which will reportedly call for a consumer bill of rights from Congress and increased industry accountability under the watch of federal regulators. The administration's invite says, "In today's information economy, privacy has emerged as an increasingly important challenge as we work to ensure the protection of consumer information while supporting the growth of the 21st century economy."

PRIVACY LAW—U.S.

Facebook Suits Progress, Users Seeking Privacy (February 22, 2012)

The San Francisco Examiner reports that a series of class-action lawsuits have moved on to federal court. The lawsuits claim that Facebook violated its own privacy policy as well as the federal Wiretap Act when the site tracked users' movements on the Web and collected their personal information--sometimes when the users were not logged in to the site. Meanwhile, a university study of 1.4 million Facebook users shows an increase in users' demands for privacy. The number of users choosing to hide their friend lists is up 200 percent from 15 months ago. Users are also increasingly hiding personal details such as age, gender, hometowns and current city.
Full Story

PRIVACY LAW—AUSTRALIA

Organizations Split on Breach Notification Law (February 22, 2012)

Responding to questions put forth by the Australian government as part of its cyber discussion paper, organizations laid out disparate views on how breach notification should be handled, reports ZDNet. The Office of the Australian Information Commissioner, the Australian Privacy Foundation (APF) and the Australian Information Security Association all submitted comments in support of a breach notification law, while telcos Telstra and Opus and the Internet Industry Association (IIA) sided with voluntary notification--with the IIA stating that a notification law would bring jurisdictional problems for local businesses. The APF comments dispute that reasoning, noting, "One does not have to dig particularly deep to be struck by the inadequacy of how Australian conflict of laws rules treat consumers."
Full Story

DATA PROTECTION

Wyckoff: Privacy Needs Elevating in Governments (February 22, 2012)

During remarks at an event in Mexico City last fall, the Organisation for Economic Co-operation and Development's (OECD) director of science, technology and industry, Andrew Wyckoff, said the matter of data privacy needs to be elevated within governments. The OECD event, "Current Developments in Privacy Frameworks: Towards Global Interoperability," was held in conjunction with the 33rd International Conference of Data Protection and Privacy Commissioners. In this IAPP exclusive, The Privacy Advisor asks Wyckoff to answer some follow up questions.
Full Story

PRIVACY LAW

Regional Laws Require Caution for Transfers (February 22, 2012)

Information Law Group reports on recent global privacy law developments that will require organizations to heed the expectations of regulators, consumers and employees when it comes to cross-border data transfers. In the European Union, for example, the European Commission has published a draft regulation to replace the Data Protection Directive; in Russia, the Federal Law on Personal Data was amended last year to allow data transfers to countries adhering to the Council of Europe Convention but not to the United States or India; in China, a proposed national standard has been issued, and Mexico passed its own national law in 2010.
Full Story

GEO PRIVACY—U.S.

ACLU Wants Laws for License Plate Scanning Data (February 22, 2012)

Some Connecticut police departments are testing license plate scanning technology to identify unregistered and stolen cars, and 10 towns have pooled their data into a database with more than 3.1 million records, reports The Hartford Courant. A spokesman for the American Civil Liberties Union acknowledges the value of the scanners but says the group wants regulation and oversight, calling use of the database "retroactive surveillance without probable cause."  The president of the Connecticut Police Chiefs Association says, "If you have never stolen a car, if your registration is up to date, the license plate reader will never know you exist," and one state representative notes, "technology is outpacing us....But if we focus on balancing the rights of privacy and security, I think at least we'll be focused on the right things."
Full Story

ONLINE PRIVACY—U.S.

Federal Privacy Legislation: Can It Happen? (February 22, 2012)

POLITICO reports on reasons for a lack of broad-based federal privacy legislation in the U.S. Consumers are sharing personal information on social networking sites and many are willing to trade personal privacy for free or discounted services and products, the report states. Political parties use online services to track and target voters, and some are concerned that federal privacy legislation could be harmful to industry. A senior fellow at the Brookings Institution said "we're a society that has an extremely ambivalent attitude about this...There's the attitude that we express, and there's the attitude we live--and Congress is the same way."
Full Story

BEHAVIORAL TARGETING—U.S.

Candidates Turning to OBA To Win Elections (February 21, 2012)
The New York Times reports on a sea change in political advertising: microtargeting based on behavior. "Forty years ago, you'd watch the same evening news ad as your Democratic neighbor," said one expert, noting that television viewers in four U.S. states recently saw two different versions of the same campaign ad for Mitt Romney based on data such as addresses, voter registration records, websites visited, the kinds of credit cards or cars they had and charitable donations made. The trend is possible thanks to campaign consultant groups, and it's increasingly popular, the report states.

RFID—U.S.

State, Legislator: Pull Chips from Licenses (February 21, 2012)

The Michigan legislature and U.S. Rep. Justin Amash (R-MI) are seeking an end to the federal government's requirement for radio frequency identification (RFID) chips in driver's licenses, The Newspaper reports. Amash has written to Department of Homeland Security Secretary Janet Napolitano asking her to abandon the 2009 regulatory mandate that requires states to implant RFID chips into enhanced licenses, noting, "The chips would give public and private entities an unprecedented ability to track Americans. RFIDs can be read using widely available technology, including technology contained in mobile phones, which increases the risk of identity theft."
Full Story

ONLINE PRIVACY—U.S.

Lawmakers Want Answers on Safari Tracking (February 21, 2012)

Lawmakers are asking Google about its tracking practices after a grad student and privacy researcher disclosed that a loophole allowed advertisers to place temporary cookies on Safari users' iPhones and iPads without their knowledge, USA TODAY reports. "Google has some tough new questions to answer in the wake of this privacy flap, and that's why I am asking them to come in for another briefing," said Rep. Mary Bono Mack (R-CA). Meanwhile, Reps. Ed Markey (D-MA), Joe Barton (R-TX) and Cliff Stearns (R-FL) have written to FTC Chairman Jon Leibowitz asking for an investigation into whether Google has violated its settlement with the commission.
Full Story

PRIVACY LAW—EU & HUNGARY

Hungary Responds to Infringement Proceedings (February 21, 2012)

Hungary has sent an approximately 100-page response to the European Commission regarding infringement proceedings launched against the country last month, EUobserver reports. The commission's concerns include questions about the integrity of the national data protection authority, the report states. Hungary's ambassador to the EU stated, "We sent our official replies to the European Commission, which is the end of the stage of the first process," noting the replies include proposals to change Hungary's legislation and explanations of areas where the country believes no changes are required. Hungary has indicated readiness "to make concessions to guarantee the independence of the data protection authority," the report states.
Full Story

BEHAVIORAL TARGETING

Predictive Analytics Fueling OBA (February 21, 2012)

In an article for The New York Times, Charles Duhigg takes an in-depth look at how companies collect vast amounts of personal information and use predictive analytics to advertise products to individuals before they know they want them. "A retailer's holy grail" comes when an individual's buying habits are in flux the most--the time around the birth of a child. An analyst working for one retailer told Duhigg, "We knew if we could identify them in the second trimester, there's a good chance we could capture them for years." Habit formation has become a large field of research in medical centers and universities, the report states. "We're living through a golden age of behavioral research," said a representative from Predictive Analytics World. "It's amazing how much we can figure out about how people think now." (Registration may be required to access this story.)
Full Story

SURVEILLANCE—ARGENTINA

Gov’t Programs Cause Concern for Some (February 21, 2012)

The Argentinian government has recently updated its bus fare system to government-issued payment cards that track commuters' comings and goings, reports The Miami Herald. This, combined with a recently established biometrics sharing program and an anti-terrorism law that includes a broad definition of what constitutes terrorism, has civil liberties groups raising red flags. According to the report, there has been little public debate over the new programs, and while authorities say measures like a biometric database will aid in law enforcement procedures, others say they will give the government dangerous surveillance abilities. One civil liberties lawyer says, "the lack of public debate means the average citizen doesn't know what the new technology and powers mean for their privacy and civil liberties."
Full Story

DATA LOSS—U.S.

Breaches: “We’re All Somewhat To Blame” (February 21, 2012)

"Imagine if a bank paid more attention to the color of the carpet in its lobby than the type of safe it uses to store its customers' valuables. No one would want to store anything there, that's for sure," writes Nick Bilton for The New York Times. Bilton says potentially privacy-invasive technology is "completely woven into every part of society and business" and companies need to increase their focus on privacy issues. Christopher N. Olsen, assistant director in the Federal Trade Commission's division of privacy and identity protection says, "Industry should redouble its efforts to focus on privacy issues, or they may face additional pressure in form of legislation from Congress," which, according to industry and Bilton, would "stifle innovation." (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—U.S.

Opinion: Civilian Drones Mean Private Data Caches (February 21, 2012)

The applications of data gathered by the civilian use of drones "will expand with imagination and additional leaps in technology," opines Jonathan Zittrain of Harvard Law School in The New York Times. And if civilian drones become common, it will be difficult to argue that government can't use them as well, he says. We should be moderately concerned about this, he says, because individuals could be recognized by their gaits and license plate numbers could be readable--and that data stored in a private database would be difficult to regulate by law. Such a database could simply be sold to the highest bidder, Zittrain writes. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Advertisers Able To Track Users Despite Settings (February 17, 2012)

Across the globe, online privacy has become the center of debate. Lawmakers have introduced more than a dozen privacy bills in Congress, reports The Wall Street Journal, and the White House has indicated it will present a Privacy Bill of Rights. Additionally, calls for do-not-track mechanisms online have led to many major browsers implementing such tools. This article explains how advertising companies have been able to track users on one browser despite contrary settings. Loopholes in the browser's policy on cookies allowed advertisers to place temporary cookies without users' knowledge, one report states. A spokesperson said the company is aware and is "working to put a stop to it." (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY

Researchers Point to Flaw in Online Transaction Encryption (February 17, 2012)
Researchers have found a flaw in the algorithm used to encrypt transactions during online banking and shopping, AFP reports. While a team of U.S. and European researchers noted, "We found that the vast majority of public keys work as intended," their report cautions, "A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security."

PERSONAL PRIVACY—EU

EDPS: Merger of IDs Brings Privacy Risks (February 17, 2012)

The European Data Protection Supervisor (EDPS) released an opinion on a European Commission (EC) proposal to merge professional drivers' driving licenses with their driver card, saying that it would have a "significant impact" on data protection rights. In the EDPS press release, Assistant EDPS Giovanni Buttarelli says, "We seriously doubt about the necessity and the proportionality of such a measure, which has yet to be demonstrated. A consistent approach is needed from the legislature to ensure that the development of any measures concerning drivers' data is done in full respect of data protection principles." The release also emphasizes the need for a privacy impact assessment before the merger takes place. Editor's note: EDPS Peter Hustinx will discuss the evolution of the new EU regulations in Conversations in Privacy at next month's IAPP Global Privacy Summit.
Full Story

ONLINE PRIVACY—U.S.

Reps Question DHS on Social Monitoring (February 17, 2012)

Members of the U.S. House of Representatives Homeland Security Committee's intelligence subcommittee are concerned that a Department of Homeland Security (DHS) practice of monitoring social media could lead to abuse, reports PCWorld. Spurred by a lawsuit undertaken by the Electronic Privacy Information Center, the DHS released details about the program last month--which DHS CPO Mary Ellen Callahan, CIPP/US, says is used for threat reports but mostly for natural disasters. Rep. Bennie Thompson (D-MS), however, opined, "The public must be confident that interacting with DHS, a website, a blog or Facebook will not result in surveillance or a compromise of constitutionally protected rights."
Full Story

HEALTHCARE PRIVACY—HONG KONG

Alliance Pushes for Privacy Protections on EHRs (February 17, 2012)

The Alliance for Patients' Mutual Help Organization has recommended that the government place a safety barrier on Hong Kong's Electronic Health Record (EHR) program to protect patients' sensitive personal information, reports China Daily. The alliance says that implementing a barrier would balance the public service benefits of the system with the individual rights of patients by allowing them to choose which information to disclose to caregivers. A spokeswoman for the Food and Health Bureau said the public consultation period has ended and the bureau is assessing the suggestions.
Full Story

HEALTHCARE PRIVACY

Surveys: 91 Percent of Healthcare Practices Breached, Patients Concerned (February 17, 2012)

Ninety-one percent of small healthcare practices in North America say they have suffered a data breach in the past 12 months according to a Ponemon Institute survey. The survey--which questioned more than 700 IT and administrative personnel at healthcare organizations with 250 employees or less--also found that 31 percent say "management considers data security and privacy a top priority, and 29 percent say their breaches resulted in medical identity theft," Dark Reading reports. Meanwhile, a recent survey by Harris Interactive found that though most consumers want electronic health records, they also fear the system is not currently well protected by state and federal laws.
Full Story

HEALTHCARE PRIVACY—U.S.

OCR Targets March for HIPAA Modification (February 16, 2012)

HealthcareInfoSecurity reports the Department of Health and Human Services' Office for Civil Rights (OCR) will release the final version of modifications to HIPAA and the HIPAA breach notification rule next month. OCR Deputy Director for Health Information Privacy Susan McAndrew said, "OCR is making every effort to publish the final rules on all of the remaining HITECH Act provisions so these important protections and expansions of individual rights under the HIPAA privacy and security rules can be made available uniformly to consumers across the country," adding, "OCR is proceeding with all deliberate speed to ensure the major impacts of these regulations are fully understood and addressed."
Full Story

Kirk J. Nahra, CIPP/US, Partner, Wiley Rein LLP, and Leon Rodriguez, Director, U.S. Department of Health and Human Services, Office of Civil Rights, will have a Conversation in Privacy at the upcoming Global Privacy Summit on enforcement trends in healthcare privacy.

CHILDREN’S PRIVACY—U.S.

FTC Releases Mobile App Report (February 16, 2012)

The Federal Trade Commission (FTC) today released a staff report revealing the results of a children's mobile apps survey. According to an FTC press release, the results showed that app stores and app developers are not providing parents with the necessary information to determine how their children's data is being collected, shared and accessed. FTC Chairman Jon Leibowitz said, "Companies that operate in the mobile marketplace provide great benefits, but they must step up to the plate and provide easily accessible, basic information so that parents can make informed decisions about the apps their kids use. Right now, it is almost impossible to figure out which apps collect data and what they do with it."
Full Story

PRIVACY LAW—U.S.

FCC Approves Telemarketing Rules (February 16, 2012)

The Wall Street Journal reports the Federal Communications Commission (FCC) has approved stronger telemarketing rules aimed at computer-generated and prerecorded calls. "Consumers by the thousands have complained to us, letting us know that they remain unhappy with having their privacy invaded and their time wasted by these unwanted calls," said FCC Chairman Julius Genachowski. The rules will require certain telemarketers "to obtain written consent before placing so-called robocalls," the report states, noting they may not "make robocalls simply because a person previously had done business with that telemarketer." Telemarketers will also be required to provide consumers with opt-out mechanisms during each call. In Reed Smith's Global Regulatory Enforcement Law Blog, Judith Harris and Amy Mushahwar highlight the details of the FCC's order. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Company Retains Contact List, Congressmen Write to Cook (February 16, 2012)

Twitter has confirmed that it stores contact list data for 18 months though the social network's privacy policy does not explicitly state that the data is uploaded and stored, ZDNet reports. Law enforcement has expressed interest in Twitter data on a number of occasions and are more interested in who users are contacting than what they tweet. It's also unclear for how long deleted tweets are retained, the report states. The company said the policy will be clarified. Meanwhile, Reps. Henry Waxman (D-CA) and G.K. Butterfield (D-NC) wrote to Apple CEO Tim Cook on Wednesday asking whether "Apple's policies ensure developers can't share or collect user data--such as iPhone contact lists--without permission."
Full Story

PRIVACY LAW—EU

Court of Justice Decision “A Win” for Privacy (February 16, 2012)

A European Court of Justice decision on filtering online content is a "win" for privacy, The Inquirer reports. In Sabam v. Netlog, the court found, "The owner of an online social network cannot be obliged to install a general filtering system, covering all its users, in order to prevent the unlawful use of musical and audio-visual work." The ruling follows an early decision involving another ISP, and in both cases, the court has indicated "there is a requirement to strike a fair balance between the right to intellectual property...and the privacy right to protection of personal data," the report states.
Full Story

DATA PROTECTION—UK

ICO Opens Consultation on Audit Policy (February 16, 2012)

The Information Commissioner's Office (ICO) has opened a consultation on proposed changes it has made to its code of practice on mandatory data protection audits, Out-Law.com reports. Government departments are subject to mandatory audits when the ICO issues assessment notices, a power granted to the authority under the Data Protection Act. Its revised code of practice states that government departments would have six weeks to agree to an audit within an accepted timeframe before an assessment notice would be issued. The ICO will issue a notice if it has reason to ensure that a department has taken appropriate measures to comply" with previously mandated changes to its privacy practices.
Full Story

PRIVACY LAW—CANADA

Bill Boosts Law Enforcement, Raises Privacy Concerns (February 15, 2012)
A new draft law allowing law enforcement entities to request data from Internet service providers without a warrant has raised alarms from Canadian privacy regulators, Reuters reports. Bill C-30, or The Protecting Children from Internet Predators Act, was tabled yesterday in the House of Commons. In addition to giving law enforcement warrantless access to personal data such as names, addresses, e-mail addresses and phone numbers, the bill would also require telecommunications companies to install surveillance equipment on its networks.

SOCIAL NETWORKING—U.S.

FBI Defends Social Media Monitoring Plans (February 15, 2012)

The Federal Bureau of Investigation (FBI) says its proposed plans to monitor data posted on social media sites and blogs will be fully examined by the agency's Privacy and Civil Liberties Unit, Computerworld reports. The FBI says the monitoring will help it detect credible threats in real time and will focus on key words rather than individuals or specific groups. In a statement, the FBI wrote, "Although the FBI has always adapted to meet changes in technology, the rule of law, civil liberties and civil rights will remain our guiding principle." The Electronic Privacy Information Center has already raised privacy concerns about a similar program planned by the Department of Homeland Security.
Full Story

PRIVACY LAW—EU

CEDPO Supports Role of DPO in Data Protection Regs (February 15, 2012)

The Confederation of European Data Protection Organizations (CEDPO), in a press release, says it "welcomes the recognition of Data Protection Officers (DPOs) as key players" in the draft data protection regulation adopted by the European Commission. The regulation requires the designation of a DPO in organizations with 250 employees or more, public bodies and those in which the main activities involve processing that requires "regular and systematic monitoring of data subjects." Christoph Klug of the GDD said, "DPOs will help to make data protection more effective, to reduce unnecessary administrative burdens and to create trust," while Sachiko Scheuing of the Dutch NGFG notes, "The positive impact of DPOs is already proven by a study of the Dutch Ministry of Justice. We are pleased to hear that this fact is recognized at European level." The requirement allows for flexibility in the positioning of the DPO within--or even outside--an organization, which Cecilia Alvarez of the Spanish APEP says will help to accommodate "the needs to fit organizations of all sizes." Pascale Gelly, CIPP/E, of the French AFCDP says CEDPO members can now join forces to "share their pan-European experiences on topics such as the necessary qualifications which DPOs should hold, the scope of the DPOs' tasks and how to ensure their independence." The CEDPO has released a comparative study of the role of the DPO in 12 European member states.
Full Story

PRIVACY—AUSTRALIA

Pilgrim: Cuts May Impact Effectiveness (February 15, 2012)

Australian Privacy Commissioner Timothy Pilgrim is voicing concern about cuts in funding due to an increase in the government's efficiency dividend, which aims to obtain the same output with reduced resources in government agencies. ZDNet reports that an Office of the Australian Information Commissioner (OAIC) spokesperson said the office will allot for the dividend through staff attrition and eliminating possible redundancies, but Pilgrim says the OAIC's workload is increasing and unpredictable, and a staff reduction could affect the office's abilities to meet the needs of the community. "In terms of what we call our own motion investigations...it's hard to anticipate what the level will be at any particular time," said Pilgrim.
Full Story

BIOMETRICS—INDIA

UIDAI Chairman Defends Plan (February 15, 2012)

In an interview with Business Today, Unique Identification Authority of India (UIDAI) Chairman Nandan Nilekani discusses concerns surrounding India's unique ID program. UIDAI will assign each citizen a unique identifying number, but legal experts and advocates have said the plan doesn't provide enough privacy safeguards. However, Nilekani says that privacy is "something you trade for convenience" and that once people understand the plan's convenience, "they will understand what they are giving up is very trivial." Though biometrics are collected, the data is anonymized, not shared with private companies and no one has access to it, Nilekani says.
Full Story

ONLINE PRIVACY

Experts: Big Data Means Big Decisions (February 15, 2012)

"We live in an age of 'big data,'" which brings with it "immense economic and social value" but also concerns about privacy, write two privacy experts in the Stanford Law Review. Associate Professor at the College of Management School of Law Omer Tene and Future of Privacy Forum Director Jules Polonetsky, CIPP/US, describe the many benefits of big data, while acknowledging a "data deluge" could foment a "regulatory backlash" capable of "dampening the data economy and stifling innovation." Tene and Polonetsky write, "In order to craft a balance between beneficial uses of data and the protection of individual privacy, policymakers must address some of the most fundamental concepts of privacy law, including the definition of 'personally identifiable information,' the role of consent and the principles of purpose limitation and data minimization." Editor's Note: Omer Tene and Jules Polonetsky will both present at next month's Global Privacy Summit.  
Full Story

DATA LOSS—U.S.

Managers Knew of Breach, Failed To Act (February 15, 2012)

Network World reports that senior managers and the former CEO at now-defunct company Nortel were allegedly aware of a long-standing data breach on the company's computer systems but failed to take action. A former Nortel employee discovered the breach but was prevented from taking action by company executives, the report states. "I think the response is shameful," said a senior security advisor. Another expert called the breach "disturbing" and said Nortel's response was worse. "They should have called law enforcement," he said. Editor's note: An expert panel will discuss real-life data breach examples and how to avoid pitfalls in the breakout session "Mending Fences After a Breach" at the IAPP Global Privacy Summit.
Full Story

PRIVACY LAW—EU & U.S.

Rosen: The Right To Be Forgotten Could Close the Internet (February 14, 2012)
Unless the "right to be forgotten" is defined more precisely as it is implemented within the EU, a clash between European and American conceptions of the proper balance between privacy and free speech could lead to a far less open Internet. That's according to Jeffrey Rosen, who opines in the Stanford Law Review on differences between European and U.S. approaches to "an urgent problem in the digital age: It is very hard to escape your past on the Internet now that every photo, status update and tweet lives forever in the cloud."

ONLINE PRIVACY—U.S.

Survey: Adults Serious About Online Privacy (February 14, 2012)

A recent survey found that 90 percent of U.S. adults worry about online privacy and 41 percent don't trust most companies with their personal data, DM News reports. The TRUSTe survey, the first of a four-part series, found that those between 45 and 54 years old worry more than other age groups, though the differences were narrow. Eighty-two percent of 18- to 34-year-olds surveyed said they would avoid a business if they felt it did not believe in protecting their privacy, the report states. "It's more equally balanced in the concerns across all demographics than I was expecting," said TRUSTe CEO Chris Babel.
Full Story

DATA LOSS—U.S.

Breach-Related Credit Monitoring Exceeds $600,000 (February 14, 2012)

The cost of credit monitoring following last year's breach in the Texas Comptroller's Office where information including names, addresses and Social Security numbers was accidentally placed on a publicly accessible server has exceeded $600,000, The Dallas Morning News reports. Investigations into the breach are continuing, the report states, but officials have noted "the state has found no indication that personal details were misused." More than 100,000 people enrolled in credit monitoring offered by the office, the report states, resulting in "a state payment of $600,492 for the service" in addition to costs the comptroller has agreed to pay out of her campaign account.  
Full Story

BEHAVIORAL TARGETING

NAI Releases 2011 Compliance Report (February 14, 2012)

The Network Advertising Initiative (NAI) has released an annual compliance report of its more than 80 member companies. The report includes a review of its members' online behavioral advertising practices and an analysis of members' compliance with the NAI's self-regulatory code of conduct--"a set of fair information practice principles tailored specifically to today's rapidly evolving advertising landscape," NAI Managing Director Marc Groman, CIPP/US, notes in his introduction to the report. The report found a "high level of member compliance," an increase in consumer interest and detailed plans for the 2012 compliance program, which "must continue to adapt and expand." Groman said, "This year's report once again demonstrates that NAI members take seriously their obligations to provide transparency and choice for online behavioral advertising."
Full Story

ONLINE PRIVACY

New Tool Scores Site Privacy (February 14, 2012)

Using an algorithm that gives points for various data-handling activities, a new online tool has analyzed more than 1,000 websites and rated them on how they use personal data--including how third parties track users through the websites, reports Wired. PrivacyChoice Founder Jim Brock says the tool works for site owners and consumers alike. "We show this to websites, and the first question they ask is how do I get my score up," Brock said, adding, "We're hoping this whole feedback loop between the websites and the tracking companies will cause these scores to go up." The company also offers a browser plug-in that gives real-time privacy scores for websites that users can choose to share with PrivacyChoice to expand its algorithm, the report states.
Full Story

PRIVACY LAW—IRELAND

Insurance Firms Breached Data Protection Act (February 14, 2012)

Three insurance companies have pleaded guilty to charges of breaching the Data Protection Act by using social welfare data obtained through a private investigator, reports The Irish Times. The breach was discovered through a complaint from the Department of Social Protection after it noticed "an unusual pattern of access to its database by an official, who had also been making phone calls to two specific numbers." The companies will each pay €20,000 to charity and all legal costs, and the data protection commissioner's office said it is satisfied that the companies have improved their systems and are working to be compliant.
Full Story

SOCIAL NETWORKING

Online Dating Sites Contain Risks, Even Afterward (February 14, 2012)

Posting personal data to online dating sites has its risks, even once a user is no longer active on the site, PCWorld reports. Holes in security practices mean that users' privacy and potentially financial security are at risk, according to the Electronic Frontier Foundation (EFF). Dating profiles "remain online for months or years after a member has let a subscription lapse," the EFF says. A recent EFF survey found some sites' HTTPS implementations--which protects a user's browsing history--worked only partially or not at all.
Full Story

ONLINE PRIVACY

Protecting and Pricing Personal Data on the Web (February 13, 2012)
The New York Times explores the view of personal data as "the oil of the digital age" and the push to use such data "as a kind of online currency, to be cashed in directly or exchanged for other items of value." The report looks at startups aimed at giving online users control of their information while potentially profiting from it. "Many of the new ideas center on a concept known as the personal data locker," the report states, where users have "a single account with information about themselves.

PRIVACY LAW—U.S.

Settlement Lowers Fourth Quarter Earnings (February 13, 2012)

Netflix has disclosed a change in its fourth-quarter earnings after its settlement over violations of the Video Privacy Protection Act (VPPA), The Washington Post reports. The $9 million settlement resulted in a 14-percent decrease in the company's fourth-quarter net income. Netflix did not admit wrongdoing in the settlement, and no other details of the settlement were released. A lawsuit filed by Virginia residents alleged Netflix had been violating the VPPA by retaining subscribers' rental histories for up to two years after they'd cancelled their subscriptions. Meanwhile, Netflix has been lobbying Congress to amend the VPPA to allow for blanket user consent to share subscribers' rental preferences on Facebook. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—GERMANY

Company Accused of Selling Raw Data (February 13, 2012)

The Local reports on allegations about the sale of raw data to pharmaceutical firms by a German research company. An employee of data processing firm Pharmafakt GFD has said under oath that "data from millions of pharmacy prescriptions had been saved and analyzed then sold to pharma firms," the report states. The employee alleged the data was neither made anonymous nor coded. Schleswig-Holstein Data Protection Commissioner Thilo Weichert has said, "This could be one of the biggest data scandals in the country in the medical field." A Pharmafakt GFD manager has denied the allegations, saying the company has adhered to data protection laws.
Full Story

DATA THEFT—IRELAND

Unencrypted Laptops Stolen from Telecoms Firm (February 13, 2012)

Telecommunications company eircom has reported that, in two separate instances, unencrypted laptops containing the personal information of approximately 7,000 customers and employees were stolen, CBR reports. Two of the laptops were stolen from the company's Dublin office and contained financial or bank details of nearly 150 individuals. Irish Data Protection Commissioner Billy Hawkes said the breach is one of the "most serious" his office has seen, "Because the nature of the financial data that was on the unencrypted laptops puts people at risk of data theft and secondly, the long delay in telling people that their data had been compromised and giving them the opportunity to protect themselves." Hawkes added that his office is investigating the incident. 
Full Story

DATA PROTECTION

Opinion: Mine the Data, Then Apologize (February 13, 2012)

In a blog post for The New York Times, Nick Bilton explores the repercussions of last week's privacy breach involving mobile social networking site Path and comments made by the site's chief executive, who said the company's actions were an "industry best practice." Bilton writes, "The big deal is that privacy and security is not a big deal in Silicon Valley." Several industry peers "applauded" Path CEO David Morin, while engineers pointed out to Bilton that the data collection was not an accident. "It seems the management philosophy of 'ask forgiveness, not permission' is becoming the 'industry best practice.' And based on the response to Mr. Morin, tech executives are even lauded for it," Bilton writes. (Registration may be required to access this story.)
Full Story

DATA LOSS

Pharmacy, Pornography Site Expose Customer Data (February 13, 2012)

The news program 9Wants to Know retrieved medical records of an estimated 5,000 people from a dumpster behind a Denver, CO, pharmacy after receiving a tip. Department of Health and Human Services Office for Civil Rights Director Leon Rodriguez would not confirm whether the agency was investigating the incident but noted that it is "something we view as a violation," and, "depending on the circumstances, we might impose significant monetary fines." Meanwhile, a hacker claiming affiliation with hacktivist group Anonymous infiltrated an inactive pornography website, posting to the Internet a sampling of the compromised data. The e-mails, user names and encrypted passwords of more than 350,000 users were exposed, reports the Associated Press.
Full Story

ONLINE PRIVACY

Personal Data Deletion Not An Easy Task (February 13, 2012)

Deleting personal information permanently from the web can be more difficult than it should be, reports The Wall Street Journal. One startup specializing in data removal reports 10 percent of the records it removes reappear every day. "People have this expectation that they can opt out and never check it again, and that's not a reasonable expectation," said one expert. Some U.S. regulators and lawmakers are working toward solutions. The White House is expected to call for consumer rights on personal data stored about them in its "Privacy Bill of Rights" to be released later this year, and FTC Commissioner Julie Brill called on data brokers last month to increase transparency. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Opinion: Date-Rating Site Blurs Online Privacy (February 10, 2012)

In a column for The Guardian, Tom Scott analyzes a date-rating site to uncover where data from Facebook can eventually end up. Called Luluvise, this "social network for women" allows women to share personal information about the men they are dating without their consent. One feature, called WikiDate, allows users to "rate" the men. To do so, a user must sign in using their Facebook account. Scott points to Facebook's privacy page, which says, "People who can see your info can bring it with them when they use apps," meaning, Scott argues, "that when your friend signs into an application, they don't just share their own data--they can share some of your data as well." For Scott, the essential lesson is, "if you use Facebook, and your friends sign up for social applications, your name and details could appear in unexpected places."
Full Story

PRIVACY LAW—U.S.

Judge Allows Request for Speedy Review of Suit (February 10, 2012)
A federal court has agreed to a request from the Electronic Privacy Information Center (EPIC) to expedite the review of its lawsuit against the Federal Trade Commission (FTC). The lawsuit, filed earlier this week, aims to stop Google from rolling out its new privacy policy and alleges the new policy violates the settlement Google made with the FTC last year, The Washington Post reports.

ONLINE PRIVACY

Pay-for-Data Panel Already Full (February 10, 2012)

In a Forbes feature, Kashmir Hill writes about the recent announcement that Google will begin paying Chrome users who sign up to participate in a panel allowing the company to track their web activities. Users will receive up to $25 in gift card codes per year, the report states. "So your online privacy over a yearlong period is worth a little bit less than a six-pack of Marshmallow Fluff--$26.75," Hill writes. The panel is already full, the report states, noting Google has announced, "We appreciate and are overwhelmed by your interest at the moment. Please come back later for more details."
Full Story

PRIVACY LAW—U.S.

Publishers Hit With Lawsuits in California (February 10, 2012)

Almost a dozen publishers are being sued in California for breaking the state's "shine the light" law requiring companies to tell customers who's buying their data or allow customers to opt out, reports MediaPost News. The 11 lawsuits allege the publishers did not comply with a requirement that companies with only a web presence in the state post contact information on the first page of their privacy policy for customers to inquire about who has bought their data. If the customers can prove the violations, they are entitled to $3,000 each; however, in past privacy cases, proving harm has been difficult, the report states.
Full Story

PRIVACY LAW—U.S.

Jeweler Files Lawsuit Over IT Breach (February 10, 2012)

A Chicago-based jeweler has filed a lawsuit against an IT consulting firm, claiming the company's negligence made it possible for unauthorized entities to access customers' financial data between April and August 2010, reports the Chicago Tribune. According to the suit, a consultant from BridgePoint Technologies advised C.D. Peacock to go around a faulty VPN connection and allegedly assured the jeweler that this move would be secure. "Circumventing the VPN led almost immediately to a serious security breach," the company said in its lawsuit. Malicious software was installed on the jeweler's credit card system, allowing hackers to "access the confidential personal data and financial information of C.D. Peacock's customers," which was then transferred to a remote system. The lawsuit did not specify how many customers were affected.
Full Story

PRIVACY LAW—U.S.

Hotel Sued for Disclosing Customer Information (February 10, 2012)

A customer of the Ritz-Carlton Key Biscayne, a hotel under the parent company Marriott Hotels, has filed suit against the hotel, claiming it gave her billing information to her ex-husband without authorization, reports the Sun Herald. According to court documents, the woman's ex-husband contacted the hotel and was able to obtain a complete detailed copy of her billing folio, including home address and all charges incurred by her and her minor son during their stay--which he then used in a custody dispute. The hotel denies handing over the information, and its reservation policy states that it does not "permit the sale or transfer of personally identifiable information to entities outside the Marriott family of companies and hotels."
Full Story

FINANCIAL PRIVACY—U.S.

Legislative Omission Ignites Debate (February 10, 2012)

The Wall Street Journal reports on a legal omission in the Dodd-Frank law that has banks fearing the loss of privacy when turning over sensitive financial documents to the newly created Consumer Financial Protection Bureau (CFPB). Lawmakers and industry representatives discussed the concerns at a House subcommittee hearing on Wednesday. A 2006 law mandated that confidential legal documents shared with bank regulators remain confidential, but Dodd-Frank--which created the CFPB--did not update the 2006 legislation to include the CFPB with the other bank regulators. At the hearing, Mayer Brown Partner Andrew Pincus said the omission will burden the process, adding, "It'll take longer and eliminate the flow of information back and forth that I think everyone agrees is what makes the examination process work." (Registration may be required to access this story.)
Full Story

DATA PROTECTION—AUSTRALIA & EU

Expert: Australia Needs Stronger Laws (February 10, 2012)

In an interview with ZDNet Australia, the Council of Europe Head of Data Protection and Cybercrime Division Alexander Seger said that without stronger data privacy laws, Australia may miss opportunities to provide services to European citizens. While this data can be processed in any country, Seger says, "it makes it very difficult if that country does not have data protection standards in place," adding, "It would actually be illegal..." While Australia has taken the lead in providing offshore forensic services, Seger says it could be more proactive in data protection.
Full Story

PRIVACY—UK

A Day In the Life of Christopher Graham (February 10, 2012)

Highlighting the frantic schedule of a regulator, UK Information Commissioner Christopher Graham shares a snapshot of a week of his life with Public Service Europe. Among the many public and personal duties he fulfills, Graham meets with the communications commissioner to discuss "cookies" and the new privacy and electronic communications rules; composes a rebuttal letter on the Leveson inquiry; drafts another letter to local government leaders to promote data protection due diligence; attends his reelection as Article 29 Working Party vice chairman, and hears a "very interesting presentation" by the U.S. FTC demonstrating the need for "a more global approach to global phenomena." Editor's Note: Graham will be a panelist at the preconference workshop Advanced Topics in European Privacy at next month's Global Privacy Summit.
Full Story

PRIVACY LAW—EU

Reding: Ambiguity, Adaptability Essential in Directive (February 9, 2012)
In today's data currency age, EU Justice Commissioner Viviane Reding hopes that her E-Privacy Directive will offer a balance between "commercial interests and personal privacy," The Telegraph reports. After fighting "absolutely fierce" lobbying "from all sides," Reding says, "the legislation was on the table on January 25 as I wanted to have it."

PRIVACY LAW—U.S.

EPIC Files Lawsuit Against FTC To Stop Google (February 9, 2012)

The Electronic Privacy Information Center (EPIC) has filed a federal lawsuit against the Federal Trade Commission (FTC) in hopes of stopping Google from rolling out its new privacy policy, the Los Angeles Times reports. EPIC is asking that a temporary restraining order and injunction be issued to "require the FTC to enforce the consent order it reached with Google last year," the report states. In a post to the IAPP Privacy List, Wiley Rein's Kirk Nahra, CIPP/US, said the case will be really interesting to watch "as it is attempting to force the FTC to act swiftly and aggressively, two things that most privacy regulatory and enforcement agencies typically have not been willing to do."
Full Story

MOBILE PRIVACY

App Maker Apologizes for Lack of Transparency (February 9, 2012)

Mobile app maker Path apologized after it was discovered that its software automatically uploaded address books to company servers without user consent, PC Magazine reports. The issue was discovered and disseminated by a developer who noticed the default operation uploaded contacts' full names and e-mail addresses. Path Chief Executive Dave Morin said the company made a mistake but the transmission was done over an encrypted connection and stored securely on company servers. Path has also released a new version of the software that allows users to opt in or out of sharing the data. A report by The Washington Post notes, "Path is learning what several app and social networking companies have learned about user privacy: transparency is key."
Full Story

SOCIAL NETWORKING

Facebook To Unveil New Advertising Format (February 9, 2012)

Financial Times reports on Facebook's new Timeline advertising feature and its new privacy implications. Users who opt in to use features from companies such as some music, movie and news providers will not be able to opt out of their activity being used for paid advertising, the report states. An analyst from the Altimeter Group said, "There will be a user hue and cry. There will be further reminders that Facebook is using information about users and using their data to sell them to advertisers," but added, "People care more about getting free media than they do about their privacy." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S. & CANADA

Lawsuit Raises Workplace Privacy Questions (February 9, 2012)

A Toronto attorney reacts to the employee privacy suit filed against the U.S. Food and Drug Administration after employees discovered the agency had been monitoring their personal, password-protected e-mail accounts for two years. ITWorldCanada reports that, according to Canadian employment law expert Christine Thomlinson, Canada's Personal Information Protection and Electronics Documents Act has statutes requiring that employers obtain consent to monitor employee e-mails, so, in this case, employees would have an expectation of privacy. An attorney with the U.S.-based Electronic Frontier Foundation says that while many organizations in the U.S. have clear guidelines surrounding activity on workplace computers, the issue of monitoring private e-mail accounts has been "largely untested" in courts, the report states.  
Full Story

ONLINE PRIVACY—UK

Opinion: Privacy Policies Won’t Cut It for Cookie Compliance (February 9, 2012)

In a column for Search Engine Land, Andy Atkins-Krϋger offers advice on how to comply with cookie legislation in the UK. The Information Commissioner's Office (ICO) indicated that though The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 came into force last year, enforcement actions would not begin for 12 months. The most important part of the ICO's guidance document on the law is the word "consent," Atkins-Krϋger writes. Sites can assume they are compliant as long as users are warned of cookies and given the chance to opt in; the opt-in cannot be implied. "Hiding this information in the privacy policy will definitely not wash," he said.
Full Story

PRIVACY LAW—U.S.

Notification May Come, Consensus Needed (February 9, 2012)

Lawmakers in Washington, DC, have cited large-scale data breaches as reason for data protection and breach notification laws, but little progress has been made, reports POLITICO. Some stakeholders are now hopeful that the laws could be addressed in amendments to an upcoming Senate cybersecurity reform bill drafted by Joe Lieberman (I-CT), Susan Collins (R-ME) and Jay Rockefeller (D-WV). While the current draft does not contain specifics on notification or safeguards, a spokeswoman for Lieberman says the senator would "be happy to consider" the issue. The report states, however, that "In the Senate, reform efforts remain disparate--with multiple committees pitching multiple bills," but stakeholders believe amending this bill would put "the issue in front of the full chamber and could raise its odds of becoming law this year."
Full Story

PRIVACY LAW—NEW ZEALAND

Information Sharing Bill Passes First Reading (February 8, 2012)
A bill that will lower the threshold for sharing of individuals' personal information has passed its first reading in Parliament, reports The New Zealand Herald. Greens oppose the bill, which would apply to both public and private agencies, saying it erodes privacy rights.

SOCIAL NETWORKING

Activist: Facebook Will Release Data (February 8, 2012)

An Austrian privacy activist group has said Facebook will release more information about the data it collects from users, Reuters reports. The comment came following a six-hour meeting on Monday between Europe V. Facebook and executives from the social network. "We have a fixed commitment that we will finally know what Facebook stores in the background," said Max Schrems, who heads up the activist group, adding, "that means a list of all categories of data that are clicked on by users." While Facebook has declined to comment specifically on Schrems' statements, the company has said it was "a very constructive meeting," the report states.
Full Story

FINANCIAL PRIVACY—U.S.

House Hearing Explores CFPB Authority (February 8, 2012)

The U.S. House of Representatives Committee on Financial Services today is holding a hearing to explore the Consumer Financial Protection Bureau's (CFPB) mandated authority over banks, credit unions and mortgage brokers, among others, Fox Business reports. Concerns have been expressed by some in the financial sector that the authority leaves banks unprotected after turning over sensitive documents to the agency. The "Legislative Proposals to Promote Accountability and Transparency at the Consumer Financial Protection Bureau" hearing includes witnesses from the American Bankers Association, the U.S. Chamber of Commerce, the American Financial Services Association and George Washington University. Meanwhile, Rep. Carolyn Maloney (D-NY) is co-sponsoring a bill to provide better protections and privacy safeguards for financial institutions when handing over sensitive documents to the CFPB. Editor's Note: An expert panel will discuss the latest developments at the CFPB during the session "Who's on First? New Roles and Authority for the CFPB, FTC, Banking Agencies and Securities" at the IAPP Global Privacy Summit.
Full Story

ONLINE PRIVACY

Search Engine Offering To Pay Users To Share Data (February 8, 2012)

eWeek reports on Google's Screenwise program, which offers to pay Chrome users ages 13 and older up to $25 in gift card codes if they install a browser extension to share data about websites they visit with the company. "What we learn from you, and others like you, will help us improve Google products and services and make a better online experience for everyone," Google wrote. The report notes that amidst recent concerns about changes to its privacy policies, Google has noted that it "will not save your e-mail address or associate it with any other personally identifiable information."
Full Story

PRIVACY LAW—U.S.

Senate Passes Bill that Will Increase Drone Use (February 8, 2012)

The U.S. Senate on Monday passed a bill to fund the Federal Aviation Administration (FAA) for four years--totaling $63 billion--providing the FAA opens air space to allow for more government and private use of drones, reports Forbes. The FAA was given 90 days to speed up the permission process for government and law enforcement to use drones and by 2015 will be required to allow commercial use of drones. The ACLU, among others, is concerned that there's no talk about limiting drone use. "Congress--and to the extent possible, the FAA--need to impose some rules...to protect Americans' privacy from the inevitable invasions that this technology will otherwise lead to," said an ACLU spokesman.
Full Story

DATA LOSS

Study: Third Parties, Food and Beverage Hit Hardest (February 8, 2012)

The 2012 Global Security Report by Trustwave SpiderLabs shows that the food and beverage industry is the hardest hit by breach incidents--making up 44 percent of breaches investigated by SpiderLabs in 2011--and that third-party remote-access applications are the most common point of entry for hackers, reports Infosecurity. According to the report, criminals target the food and beverage industry because of its high transaction rate and low barrier, as well as a lower security awareness. CIO reports that in 76 percent of breaches analyzed, a "third-party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers." Other prime targets for hackers are franchise and chain stores, because they often use the same IT systems and hackers may be able to easily duplicate the attack.
Full Story

PRIVACY

Getting To Know A Privacy Pro (February 8, 2012)

Megan Hertzler's path to privacy was sort of an accident. Hertzler started at the Minnesota Attorney General's Office as counsel to the Minnesota Public Utilities Commission (PUC) but says there wasn't a great emphasis on customer privacy back in 1997. Today, she's the assistant general counsel and director of data privacy at Xcel Energy, a position she more or less self-designed at a time when there wasn't really a model for a privacy-specific position at an energy company. In this exclusive for The Privacy Advisor, Hertzler discusses utilities' challenges when it comes to smart meters, the importance of transparency and her New Year's resolution.
Full Story

PERSONAL PRIVACY—U.S.

Background Check Apps Get FTC Warning (February 7, 2012)
The Federal Trade Commission has warned the marketers of six background screening mobile applications to review their policies and procedures and make sure they comply with the Fair Credit Reporting Act (FCRA).

PERSONAL PRIVACY—CANADA

New Citizens’ Data Potentially Mishandled (February 7, 2012)

In efforts to put together a televised citizenship ceremony, communications staff of Citizenship and Immigration Canada were provided lists of newly naturalized Canadians so they could seek participants to retake their oaths. The Canadian Press reports that some say this represents a breach of the Privacy Act because the government used the information for a purpose other than that for which it was obtained. The staffers who contacted the new citizens were not those who processed citizenship applications, and an access to information request by The Canadian Press turned up no record of discussions surrounding the legality of accessing the citizenship database.
Full Story

DATA PROTECTION—EU

Article 29 WP Publishes Meeting Notes (February 7, 2012)

The Article 29 Working Party has released notes about its 84th plenary meeting in Brussels last week, during which the group undertook elections; met with representatives from the U.S. Federal Trade Commission and the Organisation for Economic Co-operation and Development, and discussed Google's privacy policy changes and an upcoming anti-doping code revision. The party reelected Dutch Data Protection Commissioner Jacob Kohnstamm as chairman of the group, which comprises the data protection authorities of EU member states. Czech Data Protection President Igor Nemec and UK Information Commissioner Christopher Graham were reelected as vice-chairmen. The party recently wrote to the European Commission about revisions to the World Anti-Doping Agency's code.
Full Story

PRIVACY LAW—U.S.

Expert Weighs In On AG’s Lawsuit (February 7, 2012)

A healthcare privacy expert provides analysis on the recent lawsuit filed by Minnesota Attorney General Lori Swanson against debt collector Accretive Health for violating state and federal health privacy laws, state debt collection laws and consumer protection laws. The suit involves a relatively common situation--a lost laptop containing 23,500 patients' personal information--says Wiley Rein's Kirk Nahra, CIPP/US. But it's important in two significant and different ways, he says. "First, this case reflects a HIPAA enforcement action brought by a state attorney general (AG) based largely on political concerns rather than true compliance issues. The company was engaged in debt collection efforts but also had created various financial profiles about the patients as part of these efforts," he says. "There is nothing on the face of these facts that reflects a violation of HIPAA in the activities engaged in by this company, and the Minnesota Attorney General appears to be using the security breach as an opportunity/excuse to pursue enforcement actions--under HIPAA and other laws--against practices that it simply does not like." Second, says Nahra, this case is the first to be brought against a business associate under HIPAA, though AGs have typically indicated they feel the final rules are necessary before enforcement actions can begin. This case indicates that "business associates should be prepared to face HIPAA enforcement challenges now...even before the final rules are issued," Nahra notes.
Full Story

PRIVACY LAW—UK

ICO To ‘Fast-Track’ Motorman Notification (February 7, 2012)

Information Commissioner Christopher Graham said he would quicken operations to notify individuals whose names were among 4,000 found during a 2003 investigation into the trade of personal information by private investigators, BBC News reports. Operation Motorman revealed that a private investigator possessed the sensitive personal data and information logging requests by journalists to access the data, the report states. Graham said many of the names did not have corresponding addresses, making notification "a monumental task." Parliament has opened a probe into the private investigator industry after concerns were raised about press ethics during the Leveson inquiry. Graham will answer questions from the House of Commons Home Affairs Select Committee today.  
Full Story

DATA LOSS

Lessons From Breach Response Missteps (February 7, 2012)

In an interview with BankInfoSecurity, IT Law Group Managing Director Francoise Gilbert, CIPP/US, says that organizations can glean lessons from the recent breach response of Zappos. Gilbert says that organizations should already have an incident response plan in place as well as breach notification action items for customers to help them take appropriate steps after an incident. "It's time for companies to have a (plan)," she says, "to be prepared to have organized their company, phone lines, forensics, to have established that relationship with the Secret Service, the FBI and so on." Additional topics discussed include the content of Zappos' breach notice, incident response missteps taken by the company and breach readiness tips for organizations.  
Full Story

ONLINE PRIVACY—U.S.

Teens Increasingly Migrating to Twitter (February 7, 2012)

USA TODAY reports that teens are increasingly migrating to Twitter, partly because the platform offers more privacy than other social networking sites with the permitted use of pseudonyms. A Pew Internet & American Life Project survey last July found that 16 percent of young people--ages 12 to 17--said they use Twitter. That's up 50 percent from the previous year. Nearly one in five 18- to 29-year-olds are using the site. But parents shouldn't assume that Twitter accounts, even on a "locked" setting, are private, said one expert, adding that online privacy is "mythical privacy."
Full Story

TRAVELERS’ PRIVACY—AUSTRALIA

Advocates Concerned About Body Scanner Legislation (February 7, 2012)

Proposed legislation that would prevent Australians from having the option to opt out of full-body scans at Australian airports has advocates concerned, ABC Melbourne reports. The federal government will this week introduce legislation to roll out body scanners at all of the country's international airports, but Civil Liberties Australia (CLA) says passengers should have the right to opt out. "In the European Union, where they do allow these types of scanners, they have issued a directive that says governments must provide citizens with an option to opt out," said CLA director Tom Vines.
Full Story

PRIVACY LAW

Opinion: Tracking Technologies Must Be Subject To Law (February 7, 2012)

Tracking technologies are a real threat to an individuals' privacy, opines Christopher Caldwell in the Financial Times. Though a recent Supreme Court ruling that police needed a warrant to track a suspected criminal's vehicle was a step in the right direction, he noted the justices cannot agree on why tracking citizens should be a problem. Justice Antonin Scalia reasoned in the majority opinion that the tracking was problematic because, by placing the GPS on suspect's car, the police "physically occupied private property," Caldwell writes. Technology has changed the ways search and seizures occur, and therefore, such technologies "must be subjected to strict constitutional safeguards," writes Caldwell, and "It is by no means certain, alas, that they will be."  
Full Story

HEALTHCARE PRIVACY—U.S.

Hospitals Data Mining For Patients (February 6, 2012)
USA TODAY reports on an increasingly common practice among hospitals to use patients' health and financial records to market services, sometimes buying such information from consumer marketing firms. Doug Heller, executive director of Consumer Watchdog, says he's bothered by such "cherry picking," while the World Privacy Forum's Pam Dixon says people would be shocked to know how many nonmedical personnel have legal access to their medical data to help hospitals attract business.

PRIVACY LAW—HUNGARY & EU

Hungary To Revise Law (February 6, 2012)

Bloomberg reports that the Hungarian government will rework a law that has been the subject of controversy since it took effect on January 1. The European Commission launched infringement proceedings against the government last month over three laws considered to be in violation of EU law. One of the laws in question pertains to the independence of the country's data protection authority. According to a Hungarian newspaper, the prime minister's cabinet has indicated it will revise the law to exclude the right of the premier to dismiss the data protection agency's leader.
Full Story

DATA LOSS—CANADA

Customers Say Bank Breached Their Privacy (February 6, 2012)

Two customers of the Bank of Montreal (BMO) say the bank gave their personal banking information to unauthorized third parties, reports CBC News. One woman says a bank teller mistakenly handed over her credit card information to her mother without consent, and another's bank statement was sent to her ex-husband's address. The woman says her address was changed to that of her ex-husband in the BMO system without her knowledge. While BMO acknowledges that the woman's address was changed, it responded to her lawsuit by assigning blame to the ex-husband, stating that he breached her privacy by opening her mail.
Full Story

SOCIAL NETWORKING

Facebook Execs, Activist Meeting Today (February 6, 2012)

A 24-year-old Austrian law student is scheduled to meet today with two Facebook executives to discuss what he believes are "illegal practices of collecting and marketing users' personal data, often without consent," The New York Times reports. Max Schrems, whose efforts grew into the grassroots Europe Versus Facebook movement, described his disquiet about Facebook's collection and retention of data by saying, "We in Europe are oftentimes frightened of what might happen someday." Facebook has issued a statement that its practices are in line with EU law, noting users may obtain a copy of their Facebook information through their account settings, the report states. (Registration may be required to access this story.)
Full Story

DATA LOSS—BRAZIL & U.S.

Financial Websites Hacked (February 6, 2012)

A computer hacker group that is calling itself "Anonymous Brazil" continued attacking Brazilian-based banks by launching "denial of service" attacks against multiple financial websites on Friday, FOX News reports. Sites affected include Febraban, Banco BMG, Banco Panamericano and Citigroup in Brazil and the U.S., the report states. Anonymous Brazil has said it is not attempting to steal data or funds. Earlier in the week, it had claimed responsibility for "crippling the websites" of Brazil's largest banks.
Full Story

ONLINE PRIVACY—EUROPE

Google Responds to European Regulators (February 6, 2012)

Google has responded to European data protection regulators regarding their concerns about the company's plans to implement privacy policy changes on March 1. In a letter dated Friday, February 3, Google Global Privacy Counsel Peter Fleischer addressed Article 29 Working Party Chairman Jacob Kohnstamm, stating, "Given the misconceptions that have been spread about these changes by some of our competitors, we wanted to take this opportunity to clarify a few points." Fleischer said the company updated its privacy policies to "make them simpler and more understandable" and "to create a better user experience." Last week France's data protection agency, CNIL, asked Google to halt the policy changes.
Full Story

GENETIC PRIVACY—U.S.

Washington Bill Proposes DNA Collection Upon Arrest (February 6, 2012)

A bill in front of the Washington state legislature would see DNA samples collected from people arrested for--as opposed to convicted of--most felonies and those that violate a domestic violence protection order, reports The Seattle Times. Similar laws have been passed in other states, but privacy advocates and some courts say the practice violates the Fourth Amendment. "It's collecting really sensitive information about an individual without there being reason to suspect that person of a crime," says a spokesperson for ACLU's privacy counsel. "There's not a definite answer on the constitutional questions," says a Washington prosecutor. "But the merits of this are so obvious it's worth having it go up to the courts."
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

Advocates Discourage E-Health Rollout in July (February 6, 2012)

The Medical Software Industry Association (MSIA) and the Australian Privacy Foundation have told a Senate inquiry hearing that personally controlled e-health records should not go live July 1. MSIA has requested that a Senate committee subpoena National eHealth Transition Authority (NEHTA) patient safety assessments and says it is "deeply troubled that as a private corporation NEHTA is not subject to freedom of information laws or other standard government controls." The Australian Privacy Foundation says NEHTA has excluded consumer privacy advocates from consultations. Whether the program should be opt-in or opt-out was also debated at the hearing, The Australian reports. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CHINA

Chinese Ministry Issues New Regulation (February 3, 2012)

China's Ministry of Industry and Information Technology recently issued a regulation on new data protection requirements, reports Hunton and Williams' Information Security Law Blog. The regulation, "Several Provisions on Regulating Market Orders of Internet Information Services," will take effect March 15. It includes requirements that Internet information service providers will "provide stronger protection for the personal data they collect from users in China and will be subject to notice and consent requirements" as well as collection and use limitations, the report states. In addition, the regulation requires that "severe" data breaches be reported to a relevant authority immediately.
Full Story

PRIVACY LAW—U.S.

Panel Approves Cybersecurity Act (February 3, 2012)

A House panel approved legislation this week that would require "the most privately operated national critical infrastructure to adopt information security standards to safeguard their IT systems and networks," BankInfoSecurity reports. The Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness, or "Precise" Act, would authorize the Department of Homeland Security to coordinate security efforts across government agencies and would allow information sharing among governments and relevant businesses on matters pertaining to cybersecurity. The act was approved by the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies and will now move to the Homeland Security Committee.
Full Story

SSN PRIVACY—U.S.

Database Focus of Hearing (February 3, 2012)

A House hearing this week focused on concerns about potential problems with the Social Security Death Master File (DMF), and one Social Security Administration official noted "that there are about 1,000 cases each month in which a living individual is mistakenly included" in the DMF, LifeHealthPro reports. The hearing was convened by Rep. Sam Johnson (R-TX), who is sponsoring the Keeping IDs Safe Act in an effort to keep the database from being made public, the report states. The hearing comes in the wake of concerns raised a few months ago about the potential misuse of deceased individuals' data posted in the DMF. 
Full Story

PERSONAL PRIVACY—INDIA

Nation’s Attitudes Toward Privacy Shifting (February 3, 2012)

The Washington Post reports on growing concerns about personal privacy in a country that traditionally tends to identify with family and community over individualism. Among several reasons for this shift, the report states, include increased government surveillance; the explosion of online media and the Internet, and the country's biometric identification program. One professor said, "What is changing is that Indians are beginning to demand privacy protection for the information they share digitally, even though they are still not able to articulate a demand for privacy within their families and communities." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Release of Celeb’s 911 Call Prompts Legislation (February 3, 2012)

Following the release of a celebrity's 911 call, a California legislator has announced plans to introduce a bill to prevent such calls from being made public, the Los Angeles Times reports. In a statement, Assemblywoman Norma Torres (D-Pomona), a former 911 operator, said, "Everyone has the right to privacy. The unauthorized release of medical records is already illegal; medical emergency calls should also be protected." Meanwhile, a GovInfoSecurity feature  highlights concerns from privacy experts, including George Washington University Law School Prof. Daniel Solove, who has raised concerns that the release of such calls violates the right to privacy.
Full Story

DATA THEFT—U.S.

Medical Records Thief Sentenced to Prison (February 3, 2012)

An Alabama woman has been sentenced to 39 months in federal prison for the theft of the medical records of approximately 4,000 individuals, al.com reports. Chief U.S. District Judge Sharon Lovelace Blackburn ruled that after she serves her prison sentence, the assailant will remain under supervision of a probation officer for five years and will not be allowed to have a job that has access to individuals' personal identification information.
Full Story

ONLINE PRIVACY—FRANCE & U.S.

CNIL Asks Google To Halt Changes, U.S. Lawmakers Question Company (February 3, 2012)
France's data protection agency, CNIL, has asked Google to halt changes to its privacy policy, Bloomberg reports. The agency will "check the possible consequences for the protection of personal data" of Europeans given the changes, said Jacob Kohnstamm, chairman of the Article 29 Working Party. "We call for a pause in the interests of ensuring that there can be no misunderstanding about Google's commitments to information rights of their users and EU citizens until we have completed our analysis," said Kohnstamm in a letter to Google's CEO.

SOCIAL NETWORKING

Privacy Laws, Hacking Are “Risk Factors” in Facebook IPO (February 2, 2012)
In its IPO filing, Facebook said that potential privacy legislation, evolving attitudes around user privacy and cyberattacks, among others, contribute to "risk factors" for its business, The Wall Street Journal reports. The filing mentions privacy 35 times and includes "privacy and sharing settings" as one way the company creates value for users. Facebook expects "to continue to be subject" to future investigations but added that it has "a dedicated team of privacy professionals who are involved in new product and feature development from design through launch; ongoing review and monitoring of the way data is handled by existing features and apps, and rigorous data security practices." Stanford Law School's Ryan Calo said, "It just struck me about how aware they are of the vulnerabilities...They have a narrow path to walk, and their risk factors really dramatize that in a way we hadn't seen before." (Registration may be required to access this story.)

PRIVACY—CANADA

Clayton Is Alberta’s New Commissioner (February 2, 2012)

Jill Clayton has been sworn in as Alberta's first female information and privacy commissioner, the Calgary Herald reports. Looking to the work ahead of her, Clayton spoke of some of the challenges inherent in moving toward more open government and implementing legislation that was called "Swiss cheese" by her predecessor, Information and Privacy Commissioner Frank Work. "I think there are some real concerns," Clayton said of encouraging increased transparency, adding, "I don't think it is an easy thing to do. I would like to see the office work with lots of consultation, lots of proactive guidance to help public bodies move in that direction."
Full Story

PRIVACY LAW—U.S.

NH Bill Would Make GPS Tracking Illegal (February 2, 2012)

The New Hampshire House of Representatives passed a bill that would outlaw the use of GPS to track people without a court order, reports NHPR. The bill's sponsor, Rep. Neal Kurk, resuscitated the bill by highlighting the story of a jealous boyfriend tracking his girlfriend with a "$30 GPS device," adding, "it's not science fiction; it's happening now." The bill passed with a 25-vote margin but must go to a second committee before a final vote. Opponents say the bill does not take into account the technical challenges and unintended consequences of banning such tracking in today's age of smart devices.
Full Story

PRIVACY LAW—U.S.

EPIC Wants Access to Google Privacy Audit (February 2, 2012)

The Electronic Privacy Information Center (EPIC) has filed a Freedom of Information request for access to Google's privacy report to the Federal Trade Commission (FTC), part of Google's April settlement with the agency, ZDNet reports. The request comes on the heels of the company's announcement that as of March 1 it will revise its privacy policy and begin combining individual users' data across various Google products. Given the upcoming changes, EPIC's Marc Rotenberg said it's critical the FTC release the privacy audit "so that users of Google services will be able to meaningfully assess what Google is proposing to do with their data."
Full Story

ONLINE PRIVACY—U.S.

Google To Brief Congress; Advocates Want it Public (February 2, 2012)

Google executives will brief a congressional committee in private today on changes to its privacy policy that will go into effect in March, rousing objections from a consumer group. USA TODAY reports that Consumer Watchdog Director John Simpson wrote in a letter to Rep. Mary Bono Mack (R-CA), who chairs the committee, "Your investigation into Google's practices that affect millions of Americans should be public," but according to Bono Mack's senior advisor, the briefing will go as planned. "It gives us an opportunity to collect information, ask tough questions and determine whether a hearing or investigation is warranted," he said. But Simpson says, "Allowing Google to give secret briefings does not serve the committee nor the public interest."
Full Story

PRIVACY LAW—LEBANON

Minister: People’s Privacy Rights Improved (February 2, 2012)

Telecommunications Minister Nicolas Sehnaoui rejected a Lebanese security services request for "telecoms data"--which would have allowed agents to track telephone communications of individuals--because it breached current law, The Daily Star reports. In a Twitter remark, Sehnaoui said, "Lebanese people's privacy rights improved consistently after a three-hour struggle at Council of Ministers (Cabinet)." Security services requested telecoms access because of an alleged plot to assassinate a high-level security official, the reports states, but Sehnaoui halted access because a wiretapping law prevents such data from being accessed by state security forces unless there is a state emergency. The Cabinet has agreed to create a committee--led by the prime minister--to address possible amendments to the law.
Full Story

BIOMETRICS—U.S.

Facial Recognition Moratorium Requested (February 2, 2012)

The Electronic Privacy Information Center (EPIC) has submitted comments to the Federal Trade Commission (FTC) calling for a suspension of facial recognition technology deployment until appropriate standards are in place, according to a press release. EPIC says the technology "is often used by strangers to determine a person's actual identity and that this poses a risk to privacy and personal security." While some organizations have adopted strong privacy practices around the use of facial recognition technology, EPIC says others have "undermined privacy." In its report, EPIC recommends that the FTC ensure that consumers maintain control over their identity and enforce Fair Information Practices "against commercial actors when collecting, using or storing facial recognition data."
Full Story

ONLINE PRIVACY

Facebook Going Public, Data Handling Getting Serious (February 1, 2012)
Facebook is expected to file for a public stock offering today that will value the company between $75 billion and $100 billion, The New York Times reports. The value will be determined by how well the company leverages its stores of personal data to attract advertisers, the report states, and "how it can handle privacy concerns raised by its users and government regulators worldwide."

PRIVACY LAW—U.S.

Lawmakers, Stakeholders: VPPA Amendment Needs Work (February 1, 2012)

Should consumers have the power to choose whether to share their personal information, or should Congress legislate that right? Lawmakers and stakeholders debated the question at yesterday's hearing on the proposed amendment to the Video Privacy Protection Act, which would allow consumers to give one-time, blanket consent for their viewing preferences to be used by a "video tape service provider" and for that consent to be obtained via the Internet, reports this Daily Dashboard exclusive.
Full Story

PRIVACY LAW—U.S.

Class-Action Follows Hacking Attack (February 1, 2012)

A federal class-action suit has been filed in Texas against geopolitical analysis publisher Stratfor, The Statesman reports. The suit follows a hacking attack against Stratfor's website in December and seeks more than $50 million in damages on behalf of the 75,000 customers whose personal and credit card information was compromised. It alleges breach of contract and violation of the federal Stored Communications Act; two weeks passed before Stratfor notified those affected about the incident. Stratfor says the suit is "without merit," and it looks forward to telling its side of the story, the report states. Hacking community Anonymous has taken credit for the breach.
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

Lawmaker Disapproves of Current PNR Deal (February 1, 2012)

The New York Times reports on comments made by Dutch MEP Sopie in 't Veld about the passenger name record deal between the EU and U.S. The European Parliament (EP) should vote down the deal, she said, because it does not address EP concerns and is not in line with European law, the report states. "It is deeply disappointing," said in 't Veld, "that nine years of negotiations with our closest friend and ally, the United States of America, have not resulted in an agreement that respects European standards on fundamental rights...the new agreement represents a deterioration on many points." Expressing hope that the EP would pass the legislation, EU Commissioner for Home Affairs Cecilia Malmström said there were "robust safeguards" in place. The EP is expected to vote on the deal in April. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY

This Will Go Down on Your Permanent Record (February 1, 2012)

The New York Times explores one woman's efforts to delete her credit card information from a closed account at an online retailer--finding that, in effect, it is impossible. After hearing of large-scale breaches across the Internet, the woman decided that deleting the information from her closed Blockbuster account would be a safe thing to do; however, a response from customer service informed her that the company keeps her information "for accounting purposes" and it "cannot be removed." The woman's credit card company advised her to change her account number, which she did. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—EU

Activists Set To Meet With Facebook (February 1, 2012)

Austrian student activist group Europe v. Facebook expects to meet with representatives from the social networking company in Vienna next Monday in hopes of resolving its disapproval of the company's privacy policies, PCWorld reports. The group originally filed a complaint with the Irish data protection commissioner (DPC), but does not think the regulator went far enough in its audit recommendations, the report states. The DPC said it would reexamine the complaints if the group is still not satisfied with the outcome, and as a final recourse, if the group is not satisfied with the reexamination, it can then file a court appeal.
Full Story

ONLINE PRIVACY—U.S.

Microsoft Sees Opportunity, Launches Campaign (February 1, 2012)

Microsoft will launch an ad campaign pitching itself as more consumer-friendly than some of its competitors, Marketing Land reports. The ad campaign, which will run in several major news publications, takes aim at recent changes to Google's privacy policies. According to Microsoft's Frank Shaw, those changes may have caused Google users "to pause and think about their relationship with Google...That's why we decided to run some ads. To say, 'Hey, we have a different point of view, and you should check out these services.'"
Full Story

Congress V. Consumers: Who Should Control Data-Sharing Choices?  Lawmakers, Stakeholders Discuss Ame (February 1, 2012)

Lawmakers, Stakeholders Discuss Amendment to the Video Privacy Protection Act

By Angelique Carson, CIPP/US

Should consumers have the power to choose whether to share their personal information, or should Congress legislate when they have that right? 

That question was up for debate at yesterday’s hearing on the proposed amendment to the Video Privacy Protection Act (VPPA), during which lawmakers and witnesses discussed consumer rights, the viability of easily accessible opt-out mechanisms and how to adequately update a consumer privacy law sure to soon again fall behind the forward march of technology. 

Witnesses at “The Video Privacy Protection Act: Protecting Viewer Privacy in the 21st Century” hearing, held by the Senate Judiciary Committee’s Subcommittee on Privacy, Technology and the Law, agreed the VPPA needs updating, but to what extent and how didn’t always draw consensus.

House Resolution 2471—which passed the House of Representatives in December 2011--would amend the VPPA to allow consumers to give one-time, blanket consent for their viewing preferences to be shared by a “video tape service provider,” and for that consent to be obtained via the Internet. 

The VPPA was passed in 1988—years before online video streaming and data sharing were prolific—after a Supreme Court nominee’s video rental history was published in a newspaper. The law forbids the disclosure of video renters’ personal information without the consumer’s informed, written consent at the time of disclosure. Disclosure is permitted under certain circumstances–such as for law enforcement under a court order or warrant, or if the consumer provides written consent–provided a video’s title, description or subject matter isn’t disclosed.

EPIC’s Marc Rotenberg said the VPPA aimed to provide a higher level of protection against companies disclosing data under opt-out provisions that would reveal significant details about a person’s personal interests and likes.

Rep. Melvin Watt (D-NC) noted that a video subscriber’s data “exposes a member’s personal interest and struggles with various highly personal issues including sexuality, mental illness, recovery from alcoholism and victimization from incest, physical abuse, domestic violence and rape.”

Internet subscription service Netflix says consumers should ultimately control what information they share, not Congress. Ambiguities under the VPPA recently halted Netflix’s plans to integrate its video streaming services with Facebook in...