Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—CHINA

Cabinet OKs Draft Data Protection Bill Changes (August 31, 2012)
China’s Executive Yuan has approved draft legislation that seeks to make improvements on a 2010 amendment to the Personal Data Protection Act, The China Post reports. The proposed changes would require data collectors to inform consumers prior to processing such data. The bill will go before the Legislature Yuan for final approval, the report states.

HEALTHCARE PRIVACY—U.S.

ONC To Revise Model Privacy Notice for PHRs (August 31, 2012)

The Office of the National Coordinator for Health IT is calling for comments and recommendations to inform its revision of the model privacy notice for personal health records, FierceEMR reports. The current model privacy notice is applicable through September 30, the report states.
Full Story 

SURVEILLANCE—U.S.

Use of License Plate Scanner Data Raises Concerns (August 31, 2012)

The Minneapolis StarTribune reports on privacy concerns following a car dealer’s use of license plate scanner data to repossess a car. In what is “likely the first time the records have been used by a business in Minnesota,” after learning that data captured by law enforcement license plate cameras “is public and retained for one year in Minneapolis,” the dealership's co-owner sought information on cars owned by four individuals who had stopped making payments. “Privacy advocates have recently called for the legislature to craft legislation addressing license plate data classification, retention and sharing,” the report states.
Full Story

PRIVACY LAW—U.S.

Sens. Call on Obama To Issue Cybersecurity Order (August 31, 2012)

At least two senators have called on the Obama administration to issue an Executive Order on cybersecurity after Congress failed to pass legislation on the issue, Hogan Lovells’ Chronicle of Data Protection reports. In an open letter to the White House, Sen. Diane Feinstein (D-CA) wrote, “our critical infrastructure, our financial hubs and our ability to defend the nation are at risk; we must take action to address these vulnerabilities as soon as possible.” Feinstein did note that the administration does not have power to offer legal certainty or protection to firms that share cybersecurity data with the government, the report states. Meanwhile, some experts say impending cybersecurity initiatives further prompt the need for the Privacy and Civil Liberties Oversight Board.
Full Story

PRIVACY

Chris Soghoian Profile: Academic, Activist, Avant-Garde (August 31, 2012)

The Economist profiles “activist technology researcher” Chris Soghoian, whose actions have revealed privacy and security issues at organizations such as the Transport Security Administration, Google, Sprint and Dropbox. “Every privacy scandal essentially has to take the form of a firestorm,” says Soghoian, who holds a PhD from the University of Indiana. “I try to focus on things that are really important that haven’t gotten enough attention.” Soghoian’s most recent campaign targets the monitoring of Internet traffic by law enforcement agencies. “The marginal cost of spying on one more person is essentially zero now,” Soghoian says. “The economics of modern surveillance are not beneficial to the consumer.”
Full Story

DATA PROTECTION

As Smart Grid Grows, Privacy Concerns Proliferate (August 31, 2012)

With the increased emergence of smart grid technology and the deployment by utility companies of smart meters, governments and privacy advocates are “actively collaborating to work toward best practices, privacy frameworks and, in some jurisdictions, legislation.” The Future of Privacy Forum’s Chris Wolf has said the smart grid will “form a library of personal information, the mishandling of which could be highly invasive of consumer privacy.” In this exclusive for The Privacy Advisor, IAPP Publications Board Member Chris Pahl, CIPP/US, CIPP/G, and Ontario Information and Privacy Commissioner Ann Cavoukian offer advice on how utilities can address consumer concerns and apply appropriate data protection. (IAPP member login required.)
Full Story

PRIVACY LAW—U.S.

Consumer Group, Resort Challenge FTC (August 30, 2012)
The U.S. District Court of Northern California has granted Consumer Watchdog the right to challenge the legal logic behind the proposed Federal Trade Commission (FTC) settlement with Google, POLITICO reports. The advocacy group has questioned how the FTC can charge a company with a violation while also allowing no admission of guilt. A Google representative noted, “We are confident there is no basis for this challenge,” while a Consumer Watchdog spokesman said, “The settlement is particularly the start of a very slippery slope,” adding, “It’s very important the FTC get called on this.” Meanwhile, Wyndham Hotel & Resorts LLC is challenging the FTC’s allegations that it failed to adequately secure consumer data.

MOBILE PRIVACY—U.S.

Mobile App Code of Conduct Talks Continue (August 30, 2012)

NationalJournal reports on Wednesday’s meeting by the Commerce Department's National Telecommunications and Information Administration, the latest in an effort to develop an industry code of conduct for mobile apps privacy. The report notes that while stakeholders including industry and privacy advocates “made little headway in actually developing an industry code of conduct for mobile applications,” they are making progress toward cooperative efforts. “It's important to have smaller conversations to figure out with people who have different viewpoints where common ground is," said the ACLU’s Chris Calabrese. The next meeting in the ongoing series is scheduled for September 19.
Full Story

BIOMETRICS—CANADA

The Positive Side of Facial Recognition (August 30, 2012)

The use of an opt-in facial recognition scheme to help gambling addicts stay out of Ontario’s 27 government-run casinos has been conducted in a “privacy-friendly” manner, Bloomberg Business reports. Ontario Information and Privacy Commissioner Ann Cavoukian has been a proponent of the system due to its incorporation of privacy protections, the report states. Only images of opted-in gamblers are kept in a database, and they are encrypted. If a hacker were to breach the system, the information would make no sense. Cavoukian has backed biometric encryption, saying, “I just don’t want any identifiable biomarkers out there.”
Full Story

PERSONAL PRIVACY—U.S.

CA PUC Approves Gas Meter Privacy Protections (August 30, 2012)

The California Public Utilities Commission has unanimously agreed to new rules governing the protection and use of consumers’ data captured from gas meters, Solid State Technology reports. Two commissioners described the protections as being balanced, enabling both consumer protections and the “responsible use of consumer information,” according to the report. The rules allow covered entities certain rights around the collection, use and disclosure of the data.
Full Story

DATA PROTECTION—U.S.

SEC Cyber-Disclosure Guidance Becoming Standard (August 30, 2012)

Bloomberg reports that the Securities and Exchange Commission (SEC) cyber-disclosure guidance has “become de facto rules for at least six companies” including Google and Amazon. According to letters sent by the SEC, the companies were asked to, in future filings, disclose to investors if systems had undergone a cyberattack. Companies have expressed concerns that such admissions can hurt reputations, provide competitors with important information or give rise to consumer litigation, the report states. In its deliberations on cybersecurity legislation, Congress has assessed ways to encourage firms to disclose data breaches, including a voluntary reporting system. Editor’s Note: The IAPP’s recent web conference, The SEC Guidance on Cybersecurity and Incident Disclosure: What You Need to Know, is available for purchase on demand.
Full Story 

SOCIAL NETWORKING—U.S.

Expert: Case Shows “Privacy Is Big Business” (August 30, 2012)

American Public Media interviews George Washington University Law Prof. Orin Kerr to analyze Twitter’s recent court appeal. Kerr said “the ultimate question in this case is whether, when you send your stuff to Twitter, does it become Twitter’s, and anyone can look at it? Or is it still your private communication?” The judge in the case said individuals give up their expectation of privacy once they communicate a message to the world. According to Kerr, Twitter is likely appealing the case because “privacy is a big business,” adding, “Twitter has a strong incentive to try to protect the privacy rights of its customers.”
Full Story

ONLINE PRIVACY

What Happens to Our Data After Death? (August 30, 2012)

When it comes to our final wishes for the digital data we amass in the course of our lives, a news.com.au report suggests that “unless you get control over your digital collections and social networking pages now, it will be very difficult for your loved ones to access all of your content once you're gone.” The report examines the ways social networks allow—or don’t allow—loved ones to access or deactivate accounts of the deceased. Quoting Facebook, the report says the best way to sum up what happens to our data after death is, “It's complicated.” Editor's Note: A past feature in Inside 1 to 1: PRIVACY examines the questions around who owns the digital data stored in sites and caches across the web.
Full Story

HEALTHCARE PRIVACY—U.S.

Experts “Mostly Pleased” with HITECH Stage 2 Provisions (August 30, 2012)

Privacy and security experts are “mostly pleased” with the provisions included in Stage 2 of the HITECH electronic health record (EHR) incentive program, reports GovInfoSecurity. One provision requires EHR software be designed to encrypt medical records stored on devices by default, which Rebecca Herold, CIPP/US, says “will ultimately improve protection of patient information.” Two other provisions—receiving mixed reviews from the experts—include a risk assessment rule mandating security updates, but not specifically encryption, and a patient access rule requiring that five percent of discharged patients access their EHRs within a specified time period—down from 10 percent in the proposed rule.
Full Story

ONLINE PRIVACY

Privacy Worries Surround UN Internet Regs (August 30, 2012)

“What would online privacy look like if the United Nations (UN) regulated the Internet?” queries Mathew J. Schwartz in this exclusive for The Privacy Advisor. “That’s one question on the minds of privacy advocates as the International Telecommunications Union—a UN agency based in Geneva, Switzerland, that regulated telecommunications and IT issues—approaches the task of helping the UN decide if it should exert more control over Internet governance,” Schwartz writes. According to the report, some proposals “have technologists and—at least in the United States—legislators up in arms, leading to allegations that the renegotiated treaty could allow countries such as China and Russia to more easily censor the Internet.”
Full Story

DATA LOSS

Hackers Publish Stolen Data; Breaches Hit Two Orgs (August 29, 2012)
A hacker collective calling itself Team GhostShell has allegedly accessed and published one million records taken from banks, government agencies and other firms and is warning of further leaks, CNET News reports. A security expert said it is “a pretty significant breach.” In a separate incident, a Cancer Care Group laptop containing personal information of approximately 55,000 individuals was stolen from an employee in July. Meanwhile, the University of Rhode Island has disabled a server after it was discovered that the personal information of more than 1,000 faculty and staff was publicly available.

PRIVACY LAW—U.S.

Missouri Tracking Law Challenged in Court (August 29, 2012)

A new cellphone tracking law recently passed in Missouri is being challenged in court on assertions that it conflicts with federal law, the Associated Press reports. Missouri’s law makes it easier for police to track users’ cellphone locations in cases of emergency. According to a lawsuit filed Monday, the law should be overturned under the supremacy clause of the U.S. Constitution. The suit seeks a restraining order or injunction and class-action status, the report states. The attorney who filed the suit said, “If I take my cellphone to California, I have more rights. If I use my cellphone in Missouri, I have less rights. So really it comes down to a privacy issue.” Editor’s Note: The Privacy Tracker’s weekly legislative update recently reported on Missouri’s cellphone tracking law.
Full Story

PRIVACY LAW—PHILIPPINES

BPO Industry Backs Data Privacy Law (August 29, 2012)

The umbrella organization of the IT business process outsourcing (IT-BPO) industry in the Philippines said the recent signing of the Data Privacy Act will increase the confidence of foreign investors, Manila Standard Today reports. Business Processing Association of the Philippines President and CEO Benedict Hernandez said the law brings the country “to international standards of privacy protection.” In a statement, Sen. Edgardo Angara noted the importance of balancing the free flow of information with privacy protections and said the implementation of the new law will require training of experts and added rules and regulations, the report states.
Full Story

HEALTHCARE PRIVACY—AUSTRALIA

OAIC Seeks Public Comment on PCEHR Enforcement (August 29, 2012)

ZDNet reports that the Office of the Australian Information Commissioner (OAIC) is seeking public comment on how it should enforce personally controlled electronic health record (PCEHR) privacy regulations. Together with a set of enforcement guidelines, the OAIC has released a consultation paper. The guidelines detail the OAIC’s enforcement and investigative powers under the PCEHR and Privacy Acts and outline the penalties, enforceable undertakings and injunctions that can be applied in breach cases, the report states. The OAIC is asking if the draft guidelines are acceptable and provide enough clarity. The deadline for public comment is September 18.
Full Story

DATA THEFT—U.S.

Second Man Charged in Sony Hack (August 29, 2012)

A second man has been charged for his alleged role in breaching Sony Pictures Entertainment, the Associated Press reports. Raynaldo Rivera faces one count each of conspiracy and unauthorized impairment of a protected computer and, the report states, he faces 15 years in prison. Earlier this year, Cody Kretsinger pleaded guilty to two charges and is scheduled for sentencing in October.
Full Story

PRIVACY LAW—RWANDA

Opinion: Proposed Intercept Law Needs Oversight (August 29, 2012)

In a column for allAfrica, Sunny Ntayombya discusses a proposed communication intercept law in Rwanda. Ntayombya reports that the proposed law would allow the government’s security agencies to “monitor anyone who they think is conducting illegal activities,” adding, “As long as they have a warrant, given in writing or verbally by the Prosecutors of National Jurisdiction…the intercepts are legal.” Ntayombya opines, “I’m uncomfortable with the fact that, when it comes to tapping my phone calls and e-mails, all police needs to do is simply ask a prosecutor,” adding, “we would be better served if permission to tap our communication came from judges.”
Full Story 

CHILDREN’S PRIVACY—U.S.

Advocates Ask FTC To Investigate; FTC Extends COPPA Deadline (August 28, 2012)
A group of advocacy organizations has asked the Federal Trade Commission (FTC) to investigate several viral campaigns aimed at children, ZDNet reports. The Center for Digital Democracy—along with 16 advocacy groups—has sent a letter to the FTC with five complaints about the campaigns alleging they violate COPPA. “Such tell-a-friend campaigns, a powerful form of word-of-mouth marketing traditionally directed at teens and adults, are inherently unfair and deceptive when aimed at children,” the complaint states, noting, “The practices also violate existing privacy laws for children.” Meanwhile, the FTC announced it is extending the deadline for public comment on proposed modifications to COPPA.

MOBILE PRIVACY—U.S.

NTIA: Stakeholders Making “Substantial Progress” (August 28, 2012)

In a National Telecommunications & Information Administration (NTIA) blog post, Director of Privacy Initiatives John Verdi said that stakeholders in last week’s meeting “made substantial progress on procedural issues to move” the mobile app transparency issue forward. The NTIA has also released poll results from the meeting, and stakeholders are “welcome to propose concrete suggestions on procedural topics from any category.” Tomorrow, stakeholders will meet to focus on two main goals—to “develop an initial priority list for substantive elements” that may fit into a mobile application transparency code of conduct and to “propose concrete procedural steps that the group can take to implement the top priority substantive elements,” Verdi writes.
Full Story

PRIVACY LAW—U.S.

Twitter Appeals Court Decision (August 28, 2012)

Twitter has filed an appeal with the New York State Supreme Court to overrule a lower court order for the company to disclose an Occupy Wall Street protester’s tweets, The Hill reports. The American Civil Liberties Union has filed a brief in support of the company, saying, “We are hopeful that Twitter’s appeal will overturn the criminal court’s dangerous decision and reaffirm that we retain our constitutional rights to speech and privacy online as well as offline.”
Full Story

SOCIAL NETWORKING—GERMANY

Consumer Group Tells Facebook To Fix App Centre (August 28, 2012)

Reuters reports the Federation of German Consumer Organizations “believes Facebook is violating privacy laws with its new app center and has set a deadline for the social network…to fix it or potentially face legal action.” The group contends the app center gives third-party applications users’ information without their knowledge. “It will consider legal action against Facebook if the site fails to fix the problem by September 4,” the report states, noting the deadline follows plans by Hamburg’s data protection commissioner to “reopen his investigation into Facebook's policies on tagging photos, retaining and deleting data and the level of control users have over their information.”
Full Story

PRIVACY LAW—U.S.

Advocacy Group Challenges Settlement (August 28, 2012)

IDG News Service reports that nonprofit advocacy group Consumer Watchdog “is dialing up its criticism of the proposed privacy settlement between the U.S. Federal Trade Commission (FTC) and Google,” filing a motion in U.S. District Court seeking friend-of-the-court status and a hearing. Consumer Watchdog questioned the proposed $22.5 million settlement when it was first announced because it allows Google to deny “any violation of the FTC order, any and all liability for the claims set forth in the complaint and all material allegations of the complaint save for those regarding jurisdiction and venue,” the report states.
Full Story

CLOUD COMPUTING

Rapid Rise of Cloud Is Changing Computing, Business (August 28, 2012)

The New York Times reports on the rapid rise of cloud computing and how it’s changing the way companies conduct business. Through platforms such as Amazon Web Services (AWS), thousands of companies and government agencies are renting computer server and storage space for a fraction of the cost of owning and running their own systems. Though cloud computing has been around for a number of years, computing speed and storage is growing at unprecedented and exponential rates, the report states. Andrew Jassy, the head of AWS, said “We are on a shift that is as momentous and as fundamental as the shift to the electrical grid.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

Retailers Could Be Forced To Release Data (August 27, 2012)
UK ministers have announced they may require supermarkets and online retailers “to release sensitive personal data they hold about customers,” the London Evening Standard reports. Companies could be required by law “to provide electronic copies of ‘historic transaction data’ when individuals request it,” the report states, which would mean shoppers receive “records of their purchases and spending habits.” While consumers currently have the right to request such information under the Data Protection Act, “the details are rarely in electronic form, and the process is awkward and slow,” the report states, noting, “The new rules would make access far quicker and easier.”

PRIVACY LAW—U.S.

FCRA Enforcement Actions Could Support Interoperability Arguments (August 27, 2012)

The Hunton & Williams Privacy and Information Security Law Blog reports on a recent $2.6 million Federal Trade Commission settlement with HireRight Solutions, an employment background-screening company, for failure to comply with Fair Credit Reporting Act (FCRA) requirements. The blog post suggests, “By emphasizing the FCRA’s applicability in the employment context, the FTC helps strengthen the case for interoperability between very different privacy regimes…The more FCRA enforcement actions the FTC files against non-traditional consumer reporting agencies, the stronger the U.S. government’s arguments regarding interoperability with respect to information aggregation issues and the more likely that discussions about interoperability will bear fruit.”
Full Story 

SOCIAL NETWORKING

Reports Examine Access, Use of PI (August 27, 2012)

In the first installment in its new “Terms & Conditions” series, which aims to reduce documents such as privacy policies “into language anyone can understand,” Digital Trends explores Facebook’s “Data Use Policy.” Sections of the report feature what Facebook knows about its users, the difference between public and private data on the site, how data is used and the “two levels of cutting ties with the social network…deactivate vs. delete.” Meanwhile, a TechCrunch column questions, "Do you know how many apps access your personal information on Facebook?” The article suggests changes in the social network’s design mean more apps are getting permission to access personal data.
Full Story 

MOBILE PRIVACY—U.S.

Political Apps May Compromise Privacy (August 27, 2012)

CNN reports on mobile apps currently being deployed by both U.S. presidential campaigns to help voters keep tabs on their candidates. One campaign prompts users to log in via Facebook, giving it the ability to mine the data of users’ friends. The other campaign provides information to help volunteers canvass by assigning blue flags on the residences of registered party members. Privacy advocate Justin Brookman said, “Contact lists, friends, telephone numbers…anything you do with your phone is designed to be exposed to the applications that you download, so whatever on there they think might be valuable, as far as data mining…they have the ability to get.”
Full Story  

PRIVACY LAW—AUSTRALIA & U.S.

Experts Consider “Grey” Area of USA PATRIOT Act (August 27, 2012)

COMPUTERWORLD reports on privacy advocates’ belief that the USA PATRIOT Act could apply to data hosted by Rackspace in Australia. “When Rackspace announced the opening of its first data center in Australia, the company emphasized that only Australian laws would apply to hosted data,” the report states, noting this prompted questions by competitors and others regarding the extra-territorial reach of the USA PATRIOT Act. “It is a very grey area,” said Information Integrity Solutions Managing Director Malcolm Crompton, CIPP/US. “Much more insight is needed into questions such as whether and how a company has a link to the U.S. before it is possible to say” how the act would apply.
Full Story 

HEALTHCARE PRIVACY—U.S.

McGraw: Improved Informed Consent Is Paramount (August 27, 2012)

In a Q&A with Alex Howard for O’Reilly Radar, Center for Democracy and Technology Director of the Health Privacy Project Deven McGraw says that improving informed consent will help balance health privacy and innovation. McGraw underlines the need for “keeping a trustworthy environment for individuals so they can seek the care they need” along with education and transparency. “To me,” McGraw said, “the magic endpoint is whether we have a healthcare data ecosystem that most people trust,” adding, “I don’t think we’re quite there yet.”
Full Story

ONLINE PRIVACY

New Operating System Receives Privacy Complaint (August 27, 2012)

Programmer Nadim Kobeissi has said a new feature in Microsoft’s Windows 8 operating system—slated for release next month—automatically sends the firm data about every application installed by a user, BGR reports. SmartScreen is designed to filter out malicious programs. Kobeissi said that vulnerabilities in the system may make it “possible to intercept SmartScreen’s communications to Microsoft and thus learn about every single application downloaded and installed by a target.” According to an Ars Technica report, “calling this a significant security risk seems more than a little unwarranted.” Microsoft said, “As our privacy statements indicate, we take steps to protect our users’ privacy on the backend.”
Full Story 

PERSONAL PRIVACY—U.S.

Opinion: Too Much or Not Enough? (August 27, 2012)

Two opinion pieces look at different aspects of data collection. In a column for Forbes, David Williams suggests that when it comes to recording customer information, “there’s no such thing as too much” as long as companies respect laws and individual privacy. “The more unique to a customer and the deeper the information, the more critical it is that the use of the information we’ve gathered is also highly personal and extremely high-touch,” he writes. Meanwhile, an editorial in the North Platte Telegraph opposes the U.S. Census Bureau’s collection of private information in its American Community Survey.
Full Story 

PRIVACY LAW—U.S.

Sixth Circuit Rules on Breach Insurance Coverage (August 24, 2012)
Business Insurance reports on a federal appellate court’s ruling this week that the DSW Shoe Warehouse was entitled to insurance coverage for losses related to a 2005 data breach. “The Sixth U.S. Circuit Court of Appeals in Cincinnati in Retail Ventures Inc. et. al. v. National Union Fire Insurance Co. of Pittsburgh Pa., upheld a lower court’s ruling that the retailer was entitled to coverage under a computer fraud rider to a ‘blanket crime policy’ for its losses,” the report states. The insurer had asserted that the loss the retailer suffered had not resulted directly from the theft of customer information, according to the report. (Registration may be required to access this article.)

PERSONAL PRIVACY—AUSTRALIA

Tax Office Wants Access to Real-Time Data (August 24, 2012)

The Australian Tax Office (ATO) is asking for changes to the nation’s phone-tapping laws so investigators can intercept data in real time, iTnews reports. The office has access to stored communications such as voice mail, e-mail and SMS messages under the Telecommunications (Interception and Access) Act 1979, the report states. “Access to real-time telecommunications data would enable our investigators to quickly identify those involved in suspected fraud, establish an association between two or more people, prove that two or more people have communicated at a particular time and by what means or show that a person was at a location at a particular time,” said the ATO.
Full Story

HEALTHCARE PRIVACY—U.S.

EHR Stage 2 Final Rules Call for Encryption (August 24, 2012)

GovInfoSecurity reports on Thursday’s release of the two final rules for Stage 2 of the HITECH Act's electronic health record (EHR) incentive program. The Department of Health and Human Services rules, which address meaningful use and software certification, are scheduled to be published in the Federal Register on September 4. The meaningful use rule includes requirements for risk assessment analysis addressing encryption of data stored in certified EHR technology, while the software certification rule requires EHR software “be designed to encrypt, by default, electronic health information stored locally on end-user devices,” the report states. A recent whitepaper, meanwhile, cautions against securing personal health information on portable devices.
Full Story

PRIVACY LAW—U.S.

Settlement Demands $2.5 Million Fine, Return of Data (August 24, 2012)

The Hunton & Williams Privacy and Information Security Law Blog reports on the recent settlement reached between Minnesota Attorney General Lori Swanson and Accretive Health, Inc., for violations of HIPAA. Accretive provided services to two of the state’s hospital systems, according to the report. Under the settlement, Accretive will pay the state $2.5 million and will refrain from operating there for a period of two years. The company also must “return all data about Minnesota patients to the relevant hospitals.”
Full Story

ONLINE PRIVACY—U.S.

Polonetsky: Browser Controls Are Too Complicated for Busy People (August 24, 2012)

Companies are increasingly providing additional controls and options for online users’ privacy, but they are too complicated for busy people, says Future of Privacy Forum Director Jules Polonetsky, CIPP/US. Instead, online controls should be as easy as driving a car. “I can rent a car model that I have never driven before, in a strange city—a machine that can kill people if I choose the wrong lever—but yet I can drive it safely without reading the manual. Why can’t my browser be as easy to use?” asks Polonetsky in this Slate Magazine article. He adds that high-level legislation supplemented by industry self-regulation “makes sense.”
Full Story

PRIVACY LAW

Legislative Discrepancies Lead To Costs for ISPs (August 24, 2012)

Internet service providers (ISPs) have become “increasingly implicated in a complex situation as differing laws arise across different jurisdictions,” says Pauline Reich, a law professor and founder-director of the Asia-Pacific Cyberlaw, Cybercrime and Internet Security Research Institute Japan. The Council of Europe has requested ISPs voluntarily grant law enforcement agencies access to data on individuals for investigations, which jurisdictions have interpreted in various ways. As countries navigate “the complicated privacy debate,” ISPs and telcos could see greater costs, including monetary costs incurred from lawsuits and a loss of public trust if customers understand their data may be shared, ZDNet reports.
Full Story

BIG DATA

Opinion: Big Data Collection Must Slow Down (August 24, 2012)

As more organizations construct “digital dossiers” of consumers, Colorado Law School Prof. Paul Ohm writes in Harvard Business Review that “databases will grow to connect every individual to at least one closely guarded secret,” thereby causing “more than embarrassment or shame; it would lead to serious, concrete, devastating harm.” Ohm said many opportunities come with Big Data, but ubiquitous data collection “will become an inevitable fixture of our future landscape, one that will be littered with lives ruined by the exploitation of data assembled for profit.” Consequently, businesses “should slow things down, to give our institutions, individuals and processes the time they need to find new and better solutions,” writes Ohm.
Full Story

PRIVACY LAW—PHILIPPINES

Data Privacy Law Signed (August 23, 2012)
President Benigno Aquino has signed the Data Privacy Act 2012, ABS-CBN News reports. The bill is also known as “An Act Protecting Individual Information in Information and Communication Systems in the Government and the Private Sector.” The bill is based on the European Directive and requires data security standards by business process outsourcers. The president did not veto any of the bill's provisions, the report states. Some lawmakers have said the law will spur investment in the Philippines.

DATA PROTECTION—NEW ZEALAND

ACC Report Issued, Commissioner Urges Culture Change (August 23, 2012)

An independent report on New Zealand’s Accident Compensation Corportation (ACC) has revealed that a data breach was due to “human error” but also “systemic weaknesses within ACC’s culture, systems and processes.” Commissioned by New Zealand Privacy Commissioner Marie Shroff, the Independent Review of ACC’s Privacy and Security Information was undertaken by KPMG and former Australian Privacy Commissioner Malcolm Crompton, CIPP/US. Shroff said the ACC “has elements of privacy protection and security” in place, but they “are not up to the standard expected” of such an organization, adding, a “culture change” will be necessary, starting “right at the top.” Meanwhile, State Services Commissioner Iain Rennie urged vigilance by public servants processing personal data.
Full Story

PRIVACY LAW—U.S.

California Passes Location Privacy Bill (August 23, 2012)

California’s state legislature has passed the Location Privacy Act of 2012, Ars Technica reports. The law requires law enforcement agencies to obtain a search warrant before gathering GPS or other location-tracking data that a suspect’s cell phone may be transmitting, the report states. Sen. Mark Leno (D-San Francisco) sponsored the bill along with California’s ACLU and the Electronic Frontier Foundation (EFF). The bill now moves to Gov. Jerry Brown for a signature. Brown vetoed a similar initiative in 2011, however. Earlier this week, California passed a bill protecting students from having to provide access to their social media accounts. Editor’s note: Three of California’s foremost figures in privacy will speak at the upcoming IAPP Privacy Academy—Joanne McNabb, Director of Privacy Education and Policy at the California Office of the Attorney General’s Privacy Enforcement and Protection Unit; Travis LeBlanc, Special Assistant Attorney General of California, and State Sen. Joe Simitian of California’s 11th District.
Full Story

MOBILE PRIVACY—U.S.

NTIA Holds Second Meeting on Mobile Apps (August 23, 2012)

At the National Telecommunications and Information Administration meeting on app privacy yesterday, attendees expressed frustration with the meeting’s agenda. Susan Grant of the Consumer Federation of America threatened to walk out, along with a small group of her peers, if the meeting didn’t turn its focus to such process details as “whether agendas would be circulated in advance, whether the stakeholders would break into working groups and whether those working groups would circulate drafts of their findings,” National Journal reports. The meeting was the second in a series of three aimed at developing voluntary privacy guidelines for mobile apps. The next meeting is scheduled for August 29. Editor’s Note: The upcoming Practical Privacy Series will include a session on Marketing via Mobile Applications, QR Codes and Third-Party Platforms.
Full Story

DATA PROTECTION

Google Creating Staff of Privacy Experts (August 23, 2012)

Google is in the process of forming a “privacy red team” of experts to mitigate and iron out privacy risks and vulnerabilities in its products, ZDNet reports. According to a job post for a data privacy engineer, a red team member will work “to independently identify, research and help resolve potential privacy risks across all of our products, services and business processes in place today.” A ThreatPost report states the move by Google “to look critically at engineering and other decisions in the company’s products and services that could involve user privacy risks is perhaps a unique one.”
Full Story 

HEALTHCARE PRIVACY—U.S.

HIMSS Issues Recommendations for “Medical Banking” (August 23, 2012)

The Health Information and Management Systems Society has issued a set of recommendations to guide financial institutions managing revenue for healthcare organizations, FierceHealthIT reports. Released as a whitepaper, the guidelines aim to help financial institutions involved in “medical banking” to comply with HITECH’s added security and privacy requirements. Recommendations include selecting a privacy officer, updating workforce training and considering data privacy and security accreditation or certification by an independent third party. The paper states, “As customers of financial institutions, healthcare providers and payers need assurances that financial institutions can safeguard protected health information with appropriate technology systems, infrastructure and procedures for risk management and incident management.”
Full Story

CHILDREN’S PRIVACY—U.S.

Coalition To File Complaint Over Children’s Sites (August 22, 2012)
A coalition of privacy groups is asking the Federal Trade Commission to stop major companies from soliciting e-mail addresses of children for marketing purposes, Los Angeles Times reports. Fourteen groups will file a formal complaint with the commission today alleging that five kid-themed websites encourage kids to provide their e-mail addresses and the e-mail addresses of their friends. “The FTC should act promptly to stop this commercial exploitation of children,” said the legal counsel for the Center for Digital Democracy, which is leading the coalition’s efforts. The groups are also asking the FTC to prevent some marketing practices, such as the storage of photos children upload to sites. Editor’s Note: The IAPP Practical Privacy Series in New York, NY, on October 30 will feature a session on Marketing to Children Online.

DATA LOSS—U.S.

Intrusion May Affect 34,000 at University of South Carolina (August 22, 2012)

Officials at the University of Southern Carolina have begun notifying approximately 34,000 individuals with connections to the school of a potential data breach, The State reports. The intrusion was discovered three months ago and may have exposed names, addresses and Social Security numbers of current and former students, staff and researchers dating back to 2005. According to the report, this is the sixth breach affecting the school. Privacy Rights Clearinghouse Director Beth Givens has questioned why it took the university 11 weeks to notify affected individuals. A school official said, “We favored being as accurate and comprehensive as possible.”
Full Story

HEALTHCARE PRIVACY—U.S.

Proposed Bill Prompts Cross-State Breach Questions (August 22, 2012)

A HealthcareInfoSecurity blog post analyzes a recently proposed bill that would allow Department of Veterans Affairs (VA) physicians to practice telemedicine across state lines. Marianne Kolbasuk McGee queries, “What happens if there’s a data breach and doctors and patients are in different states?” Would tougher state laws trump HIPAA? A spokesman for Rep. Charles Rangel (D-NY) says it would be more likely that HIPAA rules would preempt state laws because the VA is a federal agency. Rangel, along with Rep. Glen Thompson (R-PA) and 11 other cosponsors, introduced the Veterans E-Health & Telemedicine Support Act of 2012 in July.
Full Story

PRIVACY LAW—U.S.

CA Moves To Protect Students’ Social Media Privacy (August 22, 2012)

California’s Senate unanimously approved legislation to ban colleges and universities from requiring students to provide passwords to their social media pages, Mashable reports. The bill now moves to Gov. Jerry Brown for approval. “California is set to end this unacceptable invasion of personal privacy,” said State Sen. Leland Yee (D-San Francisco). “The practice of employers or colleges demanding social media passwords is entirely unnecessary and completely unrelated to someone’s performance or abilities.” Maryland’s Senate recently passed a similar law.
Full Story

ONLINE PRIVACY—NORWAY

DPA Asks Agencies for Tracking Info (August 22, 2012)

The Norwegian Data Protection Authority (DPA) is concerned that two state agencies are violating Norwegian data protection law through their use of Google Analytics, and it has asked the agencies for more information, PCWorld reports. The DPA says that because the tracking service collects Internet protocol (IP) addresses and because the agencies—the Tax Administration and the State Educational Loan Fund—may not have control over how the IP addresses are handled, it wants documentation “before it moves forward.”
Full Story

SURVEILLANCE—U.S.

Gov’t Tracks License Plates, Shares With Third Parties (August 22, 2012)

Documents obtained under the Freedom of Information Act reveal that U.S. Customs at the Canadian and Mexican borders records travelers’ license plates and shares the data with the Department of Homeland Security, the Drug Enforcement Agency and the National Insurance Crime Bureau (NICB), Forbes reports. A nonprofit, the NICB is comprised of hundreds of car insurance firms. Electronic Privacy Information Center Attorney Ginger McCall said, “This is warrantless collection of very private data…It’s being shared with unknown organizations, not just in the government where there may be Privacy Act protections but outside the government with third parties, possibly in contravention of the Privacy Act.”
Full Story

PRIVACY LAW—UK

ICO Defends Cookie Compliance Initiatives (August 22, 2012)

The Information Commissioner’s Office (ICO) has defended its record against claims it has not investigated cookie compliance failures, SC Magazine reports. An earlier report stated the ICO received 320 violation claims without investigating one. The ICO said the report was “dramatically wide of the mark,” adding, “So far, 45 (websites) have been analyzed, of which 27 have clearly taken action to increase the visibility of the information about cookies.” The ICO also said, “A progress update, including a list of all the websites contacted, will be published on our website in November…” Editor's Note: The session Passport to the EU: Cookies, Consent and Other Marketing Issues will be featured during the IAPP's Practical Privacy Series Marketing and Advertising track on October 30 in New York City.
Full Story

DATA PROTECTION—U.S.

Why the FTC May Investigate and What To Do If It Happens (August 22, 2012)

In light of Google’s recent $22.5 million settlement with the Federal Trade Commission (FTC) for privacy violations, Jay Cline, CIPP/US, looks at seven practices that would prompt the FTC to take up an investigation. The list includes secretly tracking people; failing to honor opt-outs; failing to provide complete and accurate privacy policies, and disclosing consumer data without consent, Computerworld reports. If your company is investigated, one expert recommends against taking a defensive stance. “Be cooperative and maintain a positive dialogue upon completion of the investigation,” she advises, adding it’s important to consult the commission prior to making material changes to privacy practices “that you think may spur scrutiny.”
Full Story

BIOMETRICS

Opinion: Are Identifiers Helpful or a Privacy Invasion? (August 22, 2012)

In an opinion column for COMPUTERWORLD, Mike Elgan queries whether biometric tools should be considered “evil.” With initiatives to implement new biometric identification technology everywhere from school cafeterias to airports, some find the technology helpful for security and efficiency, while others worry about privacy intrusions, prompting Elgan to ask, “Who’s right and who’s wrong?” Meanwhile, a CNN report questions whether the recently revealed British Airways “Know Me” program will promote more friendly flights or serve as an invasion of privacy.
Full Story

DATA LOSS—U.S.

Thumb Drive Prompts Notifications, Feds Arrest Former ER Worker (August 21, 2012)
A cancer center in Texas is notifying 2,200 patients that a missing thumb drive contained their personal details. CMIO reports that it’s the third breach this year for the University of Texas MD Anderson Cancer Center in Houston. Meanwhile, federal officials have arrested a Florida man for selling the medical records of patients of Florida hospitals, WFTV reports. Dale Munroe, who worked in the emergency room at Florida Hospital Celebration before he was fired last year, is accused of accessing and selling the records of more than 700,000 patients, according to the report.

EMPLOYEE PRIVACY—SWITZERLAND & U.S.

Data Disclosure Angers Swiss Bank Employees (August 21, 2012)

Employees at several Swiss-based banks have expressed disapproval over the disclosure of their personal information to U.S. authorities investigating American tax evaders, The Wall Street Journal reports. In some cases, employees were not told of the handover or were told but not allowed to review the data. The Swiss government, in order to avoid an indictment of its banks, allowed banks to share data of thousands of employees with the U.S. Department of Justice. A Zurich University professor said, “The Swiss should offer whatever help is required for the U.S. to track down tax dodgers, but they should make clear that they will do so within the country’s legal framework.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO To Probe Tesco Website (August 21, 2012)

The Information Commissioner’s Office will investigate claims that Tesco’s website doesn’t protect consumer privacy, ComputerWeekly reports. A number of security experts have raised concerns about how the retailer’s main website stores shoppers’ passwords. One expert said Tesco sent him an e-mail containing his password in plain text, indicating the company is not encrypting such data. The expert also said the company is not using Hypertext Transfer Protocol Secure (HTTPS) on its site to protect users from phishing attacks and data theft. Tesco has said its security is robust and there is no reason to believe customer data is at risk.
Full Story

MOBILE PRIVACY—U.S.

NTIA To Host Second Stakeholder Meeting (August 21, 2012)

Tomorrow, the U.S. Department of Commerce National Telecommunications and Information Administration will host its second in a series of meetings with multiple stakeholders to flesh out how to implement codes of conduct for mobile app privacy, Broadcasting & Cable reports. According to the agenda, “Seeking Common Ground Regarding Mobile Application Privacy” aims to “prioritize substantive elements that might be included in a code of conduct” and “prioritize working methods for this multistakeholder process.” A third meeting has been scheduled for August 29 to identify concrete steps to implement such goals, the report states. Editor’s Note: The IAPP will host a program dedicated to Marketing and Advertising at the Practical Privacy Series in New York, NY, on October 30.
Full Story

HEALTHCARE PRIVACY—CANADA

Class-Action Filed Against Eastern Health (August 21, 2012)

CBC News reports that a class-action lawsuit has been filed against Newfoundland and Labrador’s Eastern Health. The lawsuit follows the health authority’s disclosure in July that five employees had been fired for privacy breaches, including a nurse who accessed 122 patient records without permission. Despite an apology from Eastern Health’s chief executive officer, the plaintiffs’ attorney says there seems to be “a lack of sensitivity in terms of the impact that these breaches have had on people, and so far, the apology hasn’t been satisfactory.” The attorney also brought a class-action suit last week against Western Health over a privacy breach involving 1,043 patients’ medical records.
Full Story

ONLINE PRIVACY—U. S.

FOIA Request Indicates FTC Initiated Google Probe (August 21, 2012)

The Wall Street Journal (WSJ) reports on the origins of the Federal Trade Commission’s (FTC) investigation into Google’s practice of bypassing Apple users’ privacy settings. Though some have argued it was Stanford researcher Jonathan Mayer who spurred the investigation, documents and interviews obtained by the WSJ’s Freedom of Information Act request indicate the FTC had undertaken the investigation before Mayer’s tip. FTC Chief Technologist Ed Felten was the first to bring the issue to light in an e-mail to a staff attorney. Felten contacted Mayer, who had been Felten’s student at Princeton University, for data on Google’s practices. Google later agreed to a $22.5 million settlement with the FTC. (Registration may be required to access this story.)
Full Story

DATA LOSS—UK

Children’s Private Data Leaked Online (August 21, 2012)

The personal information—including names, addresses, accomplishments, illnesses and learning difficulties—of 1,367 children seeking to enter the country’s top independent schools was leaked online, The Independent reports. The company holding the data said it was a victim of a cyber attack and has since shut down the compromised website. An Information Commissioner’s Office spokesman said, “We will be making inquiries into the circumstances of any potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.” Meanwhile, Essex County Council has suffered a breach after an employee allegedly sent the sensitive personal data of 400 individuals to an unauthorized recipient.
Full Story

PRIVACY LAW—U.S.

Opinion: Money-For-Nothing Class Actions May Decline (August 21, 2012)

In a column for Reuters, Alison Frankel foretells the possible end of money-for-nothing class-action lawsuits. Citing six class outcomes in 2011—ones in which lawyers were awarded from between $500,000 to $6.5 million—Frankel opines that they “may well represent the high point for contingency-free lawyers who engineer settlements with no tangible benefit for class members.” Frankel says a number of recent examples, including Friday’s decision by U.S. District Judge Richard Seeborg, suggest “that the days of money-for-nothing deals are coming to an end.”
Full Story

PRIVACY LAW—U.S.

Judge Rejects Facebook Settlement (August 20, 2012)
A judge has rejected Facebook’s settlement offer in a lawsuit over the company’s “Sponsored Stories” features and its lack of an opt-out provision, The New York Times reports. Judge Richard G. Seeborg of U.S. District Court in San Francisco, who earlier this month voiced concerns about the proposed settlement and its plan to pay $10 million to charity but nothing to class members, rejected the settlement, saying there are “sufficient questions regarding the proposed settlement” and asking for clarification on remediation for those affected and the size of the legal fee payment. Meanwhile, in an editorial for Slate Magazine, Philip Howard suggests Facebook be “nationalized” in order to restore public trust. (Registration may be required to access this story.)

PRIVACY LAW—HUNGARY

Hungarian DPA Issues Maximum Fine (August 20, 2012)

The Hungarian Data Protection Authority has imposed a fine of €35,700 on an online real estate marketplace for unauthorized data processing. The fine is significant in that it is the first maximum fine imposed under Hungary’s new Privacy Act, which took effect January 1. The company controlled websites that offered users free trial periods but later invoiced them high fees and transferred customer data to third parties without consent or notification. In this exclusive for The Privacy Advisor, Bird & Bird’s Bálint Halász discusses the details and implications of the case.
Full Story

BEHAVIORAL TARGETING—U.S.

E-Scores Help E-Commerce, Raise Concerns (August 20, 2012)

The growing use of e-scores—the digital valuations of a consumer’s purchasing potential—is becoming an important component to predictive consumer analytics but has federal regulators and consumer advocates worried it could put certain consumers at a financial disadvantage, The New York Times reports. Some advocates believe the practice creates a two-tiered system that can deny low-value consumers various opportunities. Neustar Chief Privacy Officer Becky Burr, CIPP/US, said the system helps companies locate and communicate with their markets. “They want to allocate their marketing money efficiently, and consumers want messages that are relevant,” she said, adding, the scores are predictions about consumer groups, not individuals. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—CANADA

Woman Sues Western Health for Breach (August 20, 2012)

A woman is suing the Western Health Regional Health Authority for breaching her private health information and seeks others to join for class-action status, CBC News reports. “The fact that my intimate, medical personal health information was accessed and my privacy breached is highly offensive and distressing,” the woman said. Western Health sent her a letter stating her information was viewed by a Western Health employee without purpose. Her lawyer said the employee may have seen information about the purpose for her visits. Western Health fired an employee last month for accessing 1,043 patient files.
Full Story

SURVEILLANCE—U.S.

Rise in License-Plate Scanners Prompts Debate (August 20, 2012)

InformationWeek reports on the growing use of automated license plate readers (ALPRs) by law enforcement and the accompanying concerns about privacy, security and whether license plates constitute personally identifiable information. ALPRs integrate cameras and optical character recognition software with a license plate database. The American Civil Liberties Union has released a report on the privacy and security implications of ALPRs. An ACLU representative said, “It’s not an exaggeration to say that in 10 years there will be ALPRs just about everywhere, making detailed records of every driver’s every movement and storing it for who knows how long.”
Full Story

HEALTHCARE PRIVACY—U.S.

Researchers Developing Patient-Controlled Exchange System (August 20, 2012)

Modern Healthcare reports on prototype health information exchange technology that allows patients and providers to exchange digital information across unaffiliated healthcare organizations. Developed by Wake Forest School of Medicine’s Department of Biomedical Engineering, the pilot system provides patients with an access key that can be shared with providers at the patient’s discretion. Privacy advocate Deborah Peel applauded the pilot system, saying, “The majority of current (health IT) systems and data exchanges violate medical ethics and patients’ long-standing right to control PHI…Bravo to the Wake Forest research team for finally building effective electronic patient consent tools.” (Registration may be required to access this story.) Editor’s Note: The IAPP will host the breakout session Beyond HIPAA—National Trends in Health Information Exchange and Granular Consent at the Privacy Academy in San Jose, CA.
Full Story

PRIVACY LAW—U.S.

Scholars Present Technology-Centered Privacy Approach (August 20, 2012)

Two legal scholars have released an article that proposes “a technology-centered approach to measuring and protecting Fourth Amendment interests in quantitative privacy.” Scholars David C. Gray and Danielle Keats Citron note that “technology can permit government to know us in unprecedented and totalizing ways at great cost to personal development and democratic institutions,” adding, “these concerns about panoptic surveillance lie at the heart of the Fourth Amendment as well.” Instead of “case-by-case assessments of information mosaics,” they argue that government access to “broad programs of continuous and indiscriminate monitoring should be subject to the same Fourth Amendment limitations applied to physical searches.”
Full Story

BIOMETRICS—U.S.

FBI To Provide Facial Recognition to Law Enforcement (August 17, 2012)
NextGov reports on a Federal Bureau of Investigation (FBI) initiative that will provide law enforcement agencies free facial recognition software. The new software will help agencies match suspects to the FBI’s biometric database of 12 million mug shots. In his annual report to Congress, Office of the Director of National Intelligence Information Sharing Environment Program Manager Kshemendra Paul wrote, “Later this summer, the FBI will deploy the Universal Face Workstation software, a free-of-charge client application that will provide users with the tools for conducting and managing facial/photo searches with a minimal resource investment.”

EMPLOYEE PRIVACY—U.S.

Federal Worker Monitoring Raises Privacy Concerns (August 17, 2012)

The Washington Post reports on software used by many federal agencies to monitor workers’ activities online. The WikiLeaks scandal and other unauthorized disclosures have prompted the government to collect larger, timely and detailed profiles of federal employees. The increased use of monitoring worries some privacy advocates, the report states, because of potential abuse, particularly related to whistle-blowing and the monitoring of personal e-mails. A 2010 incident with Food and Drug Administration scientists has been cited as one such example. A Defense Department representative said, “Nobody’s reading e-mails here…There has to be probable cause.” (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

One Provider Working To Balance Needs in EMRs (August 17, 2012)

A blog in The Wall Street Journal explores the challenges electronic medical records (EMRs) pose to chief information officers (CIOs) of healthcare facilities through the experiences of Hunterdon Healthcare System CIO Glenn Mamary. Offering password-protected doctor access to patient records and the ability to “break the glass” in case of emergency, Mamary attempts to strike a balance between patient privacy and necessary access, saying, “If we lock it down too much, we will be prohibiting (practitioners) from treating patients.” While practitioners have voiced complaints about the transition to EMRs, spikes in complaints are common in any transition, and a 24-hour IT staff is available to resolve problems, the report states.
Full Story

SURVEILLANCE—U.S.

Police Chiefs Sign Drone Codes of Conduct (August 17, 2012)

The International Association of Chiefs of Police (IACP) has adopted codes of conduct for the use of unmanned aerial vehicles (UAVs), The Washington Times reports. The recommended guidelines provide that captured images will be open for public viewing and will not be stored if there is no evidence of a crime or ongoing investigation. The codes recommend obtaining a warrant in cases where flights may intrude on an individual’s reasonable expectation of privacy, the report states. The IACP said, “Privacy concerns are an issue that must be dealt with effectively if a law enforcement agency expects the public to support the use of UAV by their police.”
Full Story

MOBILE PRIVACY—U.S.

Opinion: “Envelope Information” Should Be Protected (August 17, 2012)

In light of the new ability to text donations to political campaigns, Rachel Levinson-Waldman of the Brennan Center’s Liberty and National Security Program writes in Wired that with whom and when a person is communicating can be “even more sensitive than the substance of the communications themselves.” This “envelope information” can be obtained without a warrant from a judge and, in the case of campaign donations, offers data on political leanings—commonly from young and lower-income citizens, who are more apt to make text donations. “'Envelope information’ should receive similarly enhanced protection,” Levinson-Waldman writes. “This would help assure that information including the political contributions of the young and low-income is not disproportionately swept into ever-expanding government databases.”
Full Story

PRIVACY LAW—AUSTRALIA

Australia Delays Internet Security Plan (August 16, 2012)
The Australian government has tabled an initiative that would have stored the web history of Australians for up to two years, The Sydney Morning Herald reports. Attorney-General Nicola Roxon has referred a discussion paper on the expanded governmental surveillance powers to a parliamentary committee, which will stall the plans until after the next election. Roxon recently said she’s not yet convinced the data protection proposals have merit. Supporters of the reforms are concerned with the delay, with one security official saying the reforms “are urgently needed to deal with a rapidly evolving security environment.”

PRIVACY LAW—JAMAICA

Info Regulator, Data Protection Law on the Way (August 16, 2012)

Jamaica Observer reports on the country’s forthcoming Data Protection Act, which “will regulate the use of personal information filed on Jamaicans.” Ministry of Science, Technology, Energy and Mining Minister of State Hon. Julian Robinson told the government recently that there is “a need for a more uniformed, robust and clear mandate to protect privacy and personal information.” The law will regulate data collection, processing, storage, use and disclosure of information about Jamaicans. Robinson added that a position will be established for a single information and communication technology regulator within the next couple of years.
Full Story

SURVEILLANCE—U.S.

Biometric Recognition Systems Becoming Ubiquitous (August 16, 2012)

In a column for The Guardian, Naomi Wolf reports on the growing use of biometric identifying systems in the public space. Wolf writes that she witnessed the installation of facial recognition cameras in several Manhattan public venues, allegedly allowing “police to watch video that is tagged to individuals, in real time.” Last week, New York City officials unveiled a system that “links existing police databases with live video feeds, including cameras using vehicle license plate recognition software,” she writes, adding, “In the name of ‘national security,’ the capacity is being built to identify, track and document any citizen constantly and continuously.”
Full Story

DATA PROTECTION—U.S.

Whitepaper Discusses Importance, Pitfalls of Internal Audits (August 16, 2012)

A PricewaterhouseCoopers whitepaper discusses internal audits’ ability to bolster security and prevent network breaches, eWeek reports. The whitepaper outlines how internal audits “have become a key pillar of security strategies in the age of data breaches” and how companies can makes audits more effective. Believing adequate security measures already exist, for example, can sometimes undermine an audit’s purpose, the report states. “Internal audit departments need strong governance, which leads to respect, credibility and visibility,” said PricewaterhouseCoopers’ Carolyn Holcomb, who says senior management need to become more aware of the risks and concerns associated with security and privacy, and board-level support for audits is very important.
Full Story

DATA PROTECTION—U.S.

Survey: Data Security Tops Firms’ Concerns (August 16, 2012)

A new report has found that, “for the first time, data security was earmarked by the largest percentage of responding directors—48 percent—and general counsel—55 percent—as an issue of concern,” Out-Law.com reports. The Corporate Board Member (CBM) and FTI Consulting report surveyed 11,000 public company directors and nearly 2,000 general counsels in U.S.-based firms. One-third of the lawyers said their companies were “not effective at managing cyber risk,” while almost half of the directors said their companies had no formal response plan in place. CBM’s president said the discrepancy between the two is a “cause for concern.” Editor’s Note: The IAPP will host the preconference workshop, The DIYer’s Guide to Building Consensus Among Stakeholders After a Data Breach, at this year’s Privacy Academy in San Jose, CA.
Full Story

BIOMETRICS

Consumer ID Cameras Introduced, Raise Concerns (August 16, 2012)

The Ottawa Citizen reports on a U.S.-based company that is rolling out facial recognition services for businesses wanting to offer deals to customers. Facedeal users opt in to the service by uploading photos of their faces via Facebook, allowing the service to track users’ shopping habits at businesses using the technology. The creation of a database comprised of faces has raised red flags for Ontario Information and Privacy Commissioner Ann Cavoukian. In addition to data security concerns, she warned, “You don’t know where the information is going to end up, and I always say, beware of unintended consequences.”
Full Story

DATA PROTECTION—U.S.

Opinion: We Should Let the Market Sort Itself Out (August 16, 2012)

In a blog post for Harvard Business Review, Larry Downes discusses the relationship between large-scale data collection and privacy, a relationship he says is “more complicated than it seems.” The more information a company collects about a customer, the less interesting the information is. “Marketers want to know intimate facts about individual behaviors,” but the more they collect, the more anonymous individuals become; they are essentially “lost in a crowd.” To individuals, information used for specific targeting purposes is “creepy,” but legislation should be last the resort, Downes writes, adding that we should “give the market the first shot” at sorting itself out.
Full Story

PRIVACY LAW—U.S.

GPS Tracking: No Expectation of Privacy, Court Rules (August 15, 2012)
A federal court has ruled that the Drug Enforcement Administration did not violate the Fourth Amendment when it used an alleged drug runner’s cellphone data to track his movements, The Wall Street Journal reports. The defendant argued that information emitted from his mobile device could not be used because the authorities did not obtain a warrant. In the majority opinion, U.S. Court of Appeals for the Sixth Circuit Judge John M. Rogers wrote, “There is no Fourth Amendment violation because (the defendant) did not have a reasonable expectation of privacy” in the data emitted from his phone. (Registration may be required to access this story.)

BIOMETRICS—GERMANY

DPA Reopens Facebook Facial Recognition Probe (August 15, 2012)

Hamburg Data Protection Officer Johannes Caspar has reopened an investigation into Facebook’s facial recognition practices, saying the company is illegally amassing a photo database without users’ consent, The New York Times reports. Caspar said, “We have met repeatedly with Facebook but have not been able to get their cooperation on this issue, which has grave implications for personal data.” Caspar’s office wants Facebook to destroy its database of faces collected in Germany and alter its website to obtain express consent, the report states. Facebook said, “We believe that the photo tag suggest feature…is fully compliant with EU data protection laws.” (Registration may be required to access this story.)
Full Story

BIG DATA—U.S.

DMA To Congress: Don’t Limit Data Brokers (August 15, 2012)

In a letter to Congress, the Direct Marketing Association (DMA) cautioned that restricting data brokers could stifle economic growth and innovation, MediaPost reports. New restrictions “could have negative consequences not only for data providers,” the letter states, “but for the countless entities that rely on such data sources to improve their marketing and grow their business.” Some lawmakers expressed concern that consumer profiles could contain inaccurate data. “The only ‘harm’ consumers might experience from inaccurate marketing data is an irrelevant advertisement,” the DMA wrote, adding, mandating more accurate data “would actually require the addition of more personally identifiable information” to databases.
Full Story

PRIVACY LAW—U.S.

NY Gov. Signs Laws To Protect New Yorkers’ SSNs (August 15, 2012)

New York Gov. Andrew Cuomo has signed a series of bills aimed at protecting New Yorkers’ privacy and personal information, WKBW reports. The new laws, effective later this year, prevent inmates from having access to individuals’ Social Security numbers and limit instances where entities may request the numbers. The governor said, “New Yorkers deserve the strongest protections possible,” and the bills “will ensure that New Yorkers’ personal information is kept private.”
Full Story 

HEALTHCARE PRIVACY—U.S.

Study: Patient-Controlled Sharing Best for Privacy (August 15, 2012)

A new scientific study by the Journal of the American Medical Informatics Association “validates the workability of a digital medical-imaging sharing system controlled by patients, not providers,” FierceHealthIT reports. While images are now shared with patients via a hand-carried CD, digital sharing networks challenge patient privacy, the report states. But the Patient Controlled Access-key Registry (PCARE) allows patients to control the access keys. The same PCARE framework can be used for electronic health records, the study states, adding that such a framework protects patient privacy with “minimal burden on patients, providers and infrastructure.”
Full Story

PRIVACY LAW—U.S.

Court: Police Did Not Violate Law In Viewing Facebook Profile (August 15, 2012)

FourthAmendment.com reports on a case involving a search warrant for all of a defendant’s Facebook content. In United States v. Meregildon, the defendant argued the government’s method of collecting evidence to obtain the warrant violated the Fourth Amendment. An online friend of the defendant’s reported him to the police on suspicion of gang activity and gave them access to the defendant’s Facebook profile. The court ruled the defendant had no reasonable expectation of privacy in his Facebook postings that others could see. The “friends” he shared his information with were free to do with that information what they wanted, the court said.
Full Story

PRIVACY LAW—U.S.

Judge Rules VPPA Applies To Video Streaming (August 14, 2012)
A federal judge has denied a motion filed by Hulu to dismiss a privacy lawsuit claiming the company violated the Video Privacy Protection Act (VPPA) when it shared user data with ad networks, MediaPost reports. U.S. Magistrate Court Judge Laurel Beeler ruled that the law covers video streaming—the first time a court has ruled the VPPA covers such technology. Beeler pointed out that lawmakers used the phrase “similar audiovisual material” when crafting the law in 1988, the report states. University of Minnesota law professor William McGeveran said, “Congress was really clear about wanting the interpretation to be technology neutral.”

PRIVACY LAW—UK

ICO “Not Ready” for Cookie Investigations (August 14, 2012)

The Information Commissioner’s Office (ICO) has said it is “not ready” to investigate any cookie consent rule complaints because staff is not yet in place for such a task, PCPro reports. Since the ICO unveiled its online submission tool, 320 websites have been reported. “At present the information has not yet been analyzed as the team which will have responsibility for this is not in place yet,” the ICO said. Meanwhile, according to a new study, fines issued by the ICO have totaled £1.8 million in the last year, up from £431,000 in the previous 12 months.
Full Story

CHILDREN’S PRIVACY—INDIA

Court Issues Guidelines on Children in the Media (August 14, 2012)

The Delhi High Court has issued new guidelines on the broadcast of news about children after a complaint was lodged when an injured child was shown on TV, Deutsche Welle reports. The guidelines state that the media “shall ensure that a child’s identity is not revealed in any manner, including but not limited to disclosure of personal information, photograph, school or locality and information of the family including their residential or official address.” The rules aim to protect children’s privacy “so that he or she may not be exposed to anxiety, distress, trauma or social stigma in the future,” the report states.
Full Story

DATA LOSS—U.S.

Retailer, Healthcare Company Offer Credit Monitoring Following Breaches (August 14, 2012)

The Boston Globe reports on a breach at retailer Petco Animal Supplies Inc. that exposed the personal details of hundreds of employees. The breach occurred in May when five laptop computers were stolen from a company hired to audit Petco’s 401k retirement plan. The information was encrypted, and there is no indication it has been used nefariously. Current and former employees will be provided with one year of credit monitoring. Meanwhile, California’s Apria Healthcare is offering 11,000 patients free credit monitoring after a laptop containing patient information—including Social Security numbers—was stolen from an employee’s car. The company says it is in the process of encrypting its laptops.
Full Story

HEALTHCARE PRIVACY—U.S.

Expert: Strong State Laws Complicate Data Sharing (August 14, 2012)

Strict state healthcare privacy laws are complicating health information exchanges, but according to a federal official, one potential key to overcoming the obstacles is by increasing the use of meta tags, Modern Healthcare reports. Office of the National Coordinator for Health Information Technology Chief Privacy Officer Joy Pritts says that some health information exchanges are not accepting medical records containing mental health or substance abuse data because some state regulations are stronger than federal laws. In response, her office has been developing meta-data tagging standards as a potential technological solution to the issue. (Registration may be required to access this story.) Editor’s Note: The IAPP will host the breakout session, Beyond HIPAA—National Trends in Health Information Exchange and Granular Consent, at the Privacy Academy in San Jose, CA.
Full Story 

PRIVACY LAW—U.S.

FTC Finalizes FB Settlement; Reconsiders Liability Denials (August 13, 2012)
The Federal Trade Commission (FTC) finalized a settlement with Facebook last Friday over alleged privacy policy violations. FTC Commissioner Thomas Rosch submitted a dissenting statement, saying the agreement undermined the agency’s authority because it allowed the company to deny any liability, The New York Times reports. Though Rosch agreed with most of the settlement, he said the FTC’s Rules of Practice “do not provide for such a denial” of the charges, adding, “We’re inviting denials of liability in every case in the future.” The other commissioners said they may reconsider the denial of liability policy, the report states. Morrison & Foerester LLP Partner D. Reed Freeman, CIPP/US, told the Daily Dashboard that the FTC "has been accepting settlements with express denials of liability for decades without any adverse consequences. This policy has helped encourage companies to enter into settlements because any follow-on litigation would still bear the burden of proving liability on their theories. Requiring an admission of guilt will lower the settlement rate, increase the litigation rate and draw precious commission resources from investigating and bringing new cases to proving up old ones in court." (Registration may be required to access this story.)

DATA PROTECTION—SWEDEN

Government Gets Go-Ahead for Blacklist Database (August 13, 2012)

The Swedish Data Inspection Board will allow the government to start a registry of blacklisted sports supporters, The Local reports. The board says there are a number of issues that need to be addressed before the registry moves forward, including exactly what information would be kept on blacklisted individuals and the way innocent individuals would be affected by proposed measures such as increased surveillance. The board also says an in-depth analysis of what information would be available to sports associations and event organizers is necessary. “There’s always a risk that information kept in these types of sensitive registers will fall into the wrong hands,” said the board’s director general.
Full Story

PRIVACY LAW—U.S.

TSA Petition Closes 2,500 Signatures Short, Other Efforts Move Forward (August 13, 2012)

Despite reports that the White House had pulled a petition on Transportation Security Administration (TSA) airport screening procedures from its “We the People” website, the Cato Institute’s Jim Harper, who initiated the petition, told the Daily Dashboard it expired on schedule and was short “by about 2,500 signatures, or 10 percent of the 25,000 needed.” Harper added that other “parts of the effort to require the TSA to follow the law are moving forward. The DC Circuit Court of Appeals recently instructed the TSA to answer legal filings calling for it to go forward with the process for public review of its rules.”
Full Story

PRIVACY LAW—U.S.

Rep. Markey Releases Cellphone Privacy Proposal (August 13, 2012)

Rep. Ed Markey (D-MA) has released a discussion draft of legislation that would limit the number of requests by law enforcement for private cellphone data, The Hill reports. The Wireless Surveillance Act of 2012 would require law enforcement officials to provide regular request disclosures and to acquire warrants prior to using geolocation tracking as well as stipulate data retention limits on personal information held by carriers. The proposal comes after Markey’s inquiry of nine wireless providers earlier this year. “With searches and seizures now happening in cyberspace,” Markey said, “this legislation will update the Fourth Amendment for the 21st century.”
Full Story

PERSONAL PRIVACY—U.S.

Mobile Payment Systems on the Rise (August 13, 2012)

The New York Times reports on Starbucks’ recent partnering with technology startup Square, which will allow customers to pay for things with a smartphone. But "any company offering mobile payments faces a big challenge: convincing people that paying with a phone is safer and more convenient than using cash or a credit card,” the report states. Some have said the convenience “may present a compromise on user privacy.” (Registration may be required to access this story.) Editor’s Note: The IAPP will host the breakout session, For Whom the Cell Tolls: How a Mobile Payment Really Works, at this year’s Privacy Academy in San Jose, CA.
Full Story

ONLINE PRIVACY

The Difficulties of Cultivating Online Trust (August 13, 2012)

The New York Times reports on security expert Bruce Schneier’s concerns about how trust “is cultivated, destroyed and tweaked in the digital age.” Schneier says we have long-standing ways of establishing trust offline, but online, “this becomes even more complicated.” In his latest book, Liars and Outliers: Enabling the Trust That Society Needs to Thrive, he writes, “The technology changes how our social interactions work, but it’s easy to forget that,” adding, “In this way, our traditional intuition of trust and security fails.” In particular, Schneier worries about government agencies and private companies “advancing their own interests, whether for surveillance or commerce.” (Registration may be required to access this story.) Editor’s Note: Inside 1to1: PRIVACY recently caught up with Martha Rogers to discuss her new book, Extreme Trust: Honesty as a Competitive Differentiator.
Full Story

PRIVACY LAW—U.S.

The Political Struggles of the PCLOB (August 10, 2012)
The New York Times reports on the Privacy and Civil Liberties Oversight Board (PCLOB), noting, “It’s probably fair to say that few governmental bodies have had a more troubled childhood than this one.” Chief among the concerns, the report states, is that, “because of the objection of unnamed senators,” the Senate has yet to confirm David Medine as PCLOB chairman. Alan Charles Raul, a Washington lawyer who previously served as vice chairman of PCLOB during the Bush administration, told the Daily Dashboard that he is “not aware of any reason why the committee would not have confirmed” Medine. Raul believes that Medine “would make an excellent choice for chairman” and, in a letter to Congress last April, wrote “in strong support” of Medine’s nomination. With new cybersecurity initiatives being considered by the White House and Congress, Raul said “it is imperative that (PCLOB) become operational once again.” (Registration may be required to access this story.)

PERSONAL PRIVACY—U.S.

Remote Payments Plan May Compromise Privacy (August 10, 2012)

Marketplace reports on plans by Starbucks to use a payment system that will allow customers to pay for their items remotely. The company has announced it will use the Square payment system for credit and debit card transactions, which will allow consumers to pay using card readers attached to phones. One of Square’s apps allows customers to pay via a GPS system without having to present the phone. The convenience may present a compromise on user privacy, the report states.
Full Story

PRIVACY LAW—IRELAND

Commissioner: Top Banks To Be Audited (August 10, 2012)

Irish Times reports that the Office of the Data Protection Commissioner (DPC) will audit Ireland’s top banks in the coming months. The announcement comes after the DPC discovered that AIB “supplied inaccurate personal data” to the Irish Credit Bureau (ICB) in breach of data protection law and resulting in the denial of credit to individuals. AIB has confirmed the incorrect reporting of missed loan repayments to the ICB over a six-year period. One MEP said the DPC “has performed excellently in this case; however, we need to strengthen and reinforce the office to ensure that it can effectively monitor companies, investigate breaches and protect individuals."
Full Story

PRIVACY LAW—U.S.

Record-Setting Settlement Stirs Debate (August 10, 2012)

In response to Google’s agreement to pay the largest Federal Trade Commission (FTC) fine in history, FTC Chairman Jon Liebowitz said, “No matter how big or small, all companies must abide by FTC orders against them and keep their privacy promises to consumers, or they will end up paying many times what it would have cost to comply in the first place.” Within hours of the announcement, the FTC took to social media to answer questions from varying sides of the privacy debate. This Daily Dashboard exclusive looks into how the debate unfolded on Twitter and Facebook.
Full Story

DATA PROTECTION—U.S.

White House Considers Executive Cybersecurity Order (August 10, 2012)

White House Homeland Security Adviser John Brennan has said the administration is exploring whether to issue an executive order to protect the nation’s infrastructure, Reuters reports. Given the grim outlook for a Senate cybersecurity bill endorsed by President Barack Obama, Brennan said an order from the president would be a “good vehicle” to push government agencies to “make sure the nation is protected.” The U.S. Chamber of Commerce has said the cybersecurity bill would be burdensome on companies, while The Silicon Valley Leadership Group—comprising 375 members—supports the bill. If Congress is not going to act, “then the president wants to make sure we are doing everything possible,” Brennan said.
Full Story

HEALTHCARE PRIVACY—UK & U.S.

Comparing Each Nation’s Privacy Enforcement Strategies (August 10, 2012)

A GovInfoSecurity report analyzes the healthcare breach enforcement strategies of the UK and the U.S. In the UK, emphasis relies on “publicizing frequent financial penalties” while the U.S. focus has centered on the announcement of less frequent “resolution agreements.” This year, the UK has handed out 11 fines totaling £1.4 million—approximately $2.2 million—and the U.S. has issued three resolution agreements totaling $3.3 million. “The jury is out on which nation’s approach will be more successful in reducing the number of breaches over the long haul,” the report states.
Full Story

PRIVACY LAW—U.S.

Federal Employees Sue Over Privacy (August 10, 2012)

Several federal employees and their representing organizations have filed a privacy protection lawsuit against the federal government, according to The Weissman Report. The plaintiffs in Senior Executives Association v. United States claim that the recently passed Stop Trading on Congressional Knowledge (STOCK) Act violates their constitutional right to “informational privacy.” Filed in the U.S. District Court of Maryland, the suit seeks to protect the financial information of approximately 28,000 federal employees. The STOCK Act, slated to go into effect on August 31, mandates that all federal agencies disclose the financial forms of senior civilian and military employees for public viewing online.
Full Story

DATA LOSS

Gamers Urged To Change Passwords After Breach (August 10, 2012)

Blizzard Entertainment is warning gamers to change their passwords due to a security breach of its internal network, CNET News reports. Certain e-mail addresses and scrambled passwords are believed to have been stolen, according to the company.At this time, we've found no evidence that financial information such as credit cards, billing addresses or real names were compromised,” said company President Michael Morhaime in a blog post. “Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.”
Full Story

HEALTHCARE PRIVACY—U.S.

Study: Consumers Concerned About EHRs (August 10, 2012)

A new survey has found that patients have strong concerns about privacy and security when it comes to switching from paper to digital medical records, InformationWeek reports. The Harris Interactive study on behalf of Xerox indicates 40 percent of those surveyed believe electronic health records (EHRs) will help doctors deliver better care, but only 26 percent said they want their records to be digital, and nine percent said the idea “frightens them.” Privacy is a “common concern” about EHRs, said Xerox’s chief innovation officer for healthcare. “There is definitely a need for better information systems and interfaces.”
Full Story

FTC answers Google settlement queries in robust social media chats (August 10, 2012)

By Jedidiah Bracy, CIPP/E, CIPP/US

Within hours of announcing that Google had agreed to pay a $22.5 million fine to settle charges it bypassed Apple Safari privacy settings, the Federal Trade Commission (FTC) took to social media to answer questions from varying sides of the privacy debate.

Through Twitter and Facebook, the FTC publicly answered questions from those interested in the largest civil penalty in the agency’s history.

And not everyone supported the settlement.

Some echoed concerns expressed by FTC Commissioner Thomas Rosch’s dissenting statement. The FTC alleged that Google’s use of cookies on Safari browsers deceived consumers and violated its consent decree and in its settlement allowed the company to not admit liability.

“This scenario—violation of a consent order,” wrote Rosch, “makes the commission’s acceptance of Google’s denial of liability all the more inexplicable.”

TechFreedom President Berin Szoka tweeted, “How can msg sent be ‘clear’ when there’s not admission of liability or explanation of violation or fine?”

Megan Gray and Megan Bartley, both from the FTC’s Division of Enforcement, tweeted in reply, “Is there any ambiguity that FTC acted vigorously 2 enforce its order? What’s impt is actions not words; $22.5M is loud.”

Several questioned how the fine could be justified, while others wondered whether the fine appropriately acts as a deterrent to a company that makes billions of dollars a year in profit.

One participant asked the FTC what impact the settlement may have on the web industry. Through Twitter, the FTC responded, “We want the web industry to abide by the promises it makes to its customers.”  

Justin Brookman, director of the Center for Democracy & Technology’s (CDT) Project on Consumer Privacy, voiced support for the agency’s decision.

In a CDT press release, Brookman said, “The action demonstrates the FTC is a champion for consumer privacy rights,” adding, “It’s especially impressive that the FTC moved so quickly to reach its largest settlement in history.”

Calling it a “pyrrhic victory for privacy,” Szoka and International Center for Law & Economics Executive Director Geoffrey Manne took a much different stance, writing in their own release, “Such arbitrary regulation-by-settlement undermines the rule of law and harms consumers by deterring privacy disclosures.”

The ringing disagreements and vociferous dialogue during Thursday’s social media chats indicated the FTC’s participation in these Web 2.0 platforms provides a...

ONLINE PRIVACY

Google To Include Gmail Content in Web Searches (August 10, 2012)

Google has announced plans to roll out a new feature to a million Gmail users who sign up for it, and after accepting feedback, hopes to give all accountholders the ability to opt in to the feature that would allow contents of users’ Gmail correspondences to be included in their Google searches, reports the Associated Press. The feature is a response to a more people-centered Internet driven by the prevalence of information sharing on social networks, the report states, and may bring with it privacy concerns. To alleviate these concerns, Google will show Gmail communications in a collapsed format that users have to open in order to see details.
Full Story

PRIVACY LAW—U.S.

Google Agrees to $22.5 Million Settlement; FTC Settles with HireRight (August 9, 2012)
Google has agreed to a $22.5 million settlement with the Federal Trade Commission (FTC) over charges involving tracking cookies on Apple’s Safari Internet browser. The FTC has also settled with an employment background screening company for $2.6 million on charges it violated the Fair Credit Reporting Act. The FTC says HireRight Solutions failed “to use reasonable procedures to assure the maximum possible accuracy of information it provided,” failed to give consumers copies of their reports and failed to resolve consumer disputes. The FTC also alleges HireRight failed to ensure the information reflected updates to criminal records and “in numerous cases, even included the records of the wrong person,” leading to consumers being denied job opportunities.

PRIVACY LAW—U.S.

Christie Signs Privacy Bill (August 9, 2012)

New Jersey Gov. Chris Christie has signed into law a bill that aims to protect the privacy of accident victims by prohibiting emergency responders from photographing or disclosing such photographs, NJTODAY reports. Assemblyman Craig Coughlin said S199/A789 is “not an injunction on our first responders…but the callous few who violate the privacy of the people they are charged with protecting.” Coughlin added, “In an era where photos and videos can live in perpetuity online, no family should ever have to worry about distressing images of their loved ones being displayed without their consent.”
Full Story

PRIVACY LAW—CHINA

Gov’t Proposes Healthcare Privacy Draft Regulation (August 9, 2012)

China’s Ministry of Health has proposed a draft regulation requiring health departments to protect and secure patient privacy, Xinhua reports. The regulation would amend the Tuberculosis (TB) Prevention and Control Regulation and is now open for public comment. The draft says, “Health departments can obtain information from units or people and inspect related venues out of the need for TB prevention and treatment” but should also maintain patient privacy. Entities that leak private information will be disciplined or prosecuted, the report states.
Full Story

ONLINE PRIVACY

Search Tool Moves Toward Artificial Intelligence (August 9, 2012)

The New York Times reports on a Google search tool that aims to understand human meaning, have spoken conversations and provide results—not only from the Internet but from users’ personal lives. The tool, which is being rolled out to the first million volunteers, will also incorporate a user’s Gmail messages to aid in searches. Google Senior Vice President of Search Amit Singhal said the moves are “baby steps in the direction of making search truly universal” and toward building in artificial intelligence. The company emphasized that users can turn the search tool off. Singhal added, “We have to do this very carefully; we know that.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Court Reinstates Driver’s Privacy Class-Action Suit (August 9, 2012)

A federal appeals court has decided to reinstate a class-action suit involving private data on parking tickets, Wired reports. The 7th U.S. Circuit Court of Appeals has decided against Chicago’s Palatine Village Police Department, ruling that putting too much personal information on parking citations violates U.S. law. The information on the department’s parking citations includes the vehicle owner’s name, address, driver’s license number, date of birth, sex, height and weight, the report states, and is usually left under a windshield wiper blade. One motorist filed suit in 2012, but a federal judge then denied the claim, citing a law enforcement exception in the Driver’s Privacy Protection Act.
Full Story

DATA PROTECTION—UK

ICO Issues Guidance for SMBs (August 9, 2012)

The Information Commissioner’s Office (ICO) has issued guidance on the top five areas of improvement recommended for small- and medium-size businesses. Among the suggestions, staff training and communication with customers are the most important, SC Magazine reports. The office suggests organizations tell people how their data is being used; ensure proper staff training; use strong passwords; encrypt portable devices, and only retain data for as long as necessary. The ICO recommends charities and third parties conduct data protection checkups given that they often handle sensitive information. The office also offers advisory visits to organizations seeking advice on data protection improvements.
Full Story

DATA THEFT—U.S.

Amazon, Apple Address Security Loopholes (August 9, 2012)

Following the identity hacking of a Wired reporter, Amazon and Apple have altered security authentication protocols. The assailants allegedly accessed the reporter’s Amazon account by calling the company and using his name, e-mail address and mailing address and then used the last four digits of the user’s credit card to access his Apple account, Wired reports. In response, the companies are not allowing customers to call in and change account settings. An Apple representative said, “When we resume over-the-phone password resets, customers will be required to provide even stronger identity verification to reset their password.”
Full Story

PRIVACY LAW—AUSTRALIA

Privacy Commissioner Wants Payload Data Deleted (August 8, 2012)
The Australian Privacy Commissioner has called on Google to destroy data collected from open WiFi networks, iTnews reports. The commissioner sent a letter to Google’s Australian head of public policy and government affairs ordering its immediate destruction, the report states. “I do not require Google to retain the additional payload data, and unless there is lawful purpose for its retention, Google should immediately destroy the data,” Pilgrim wrote. “Further, I also request that Google undertakes an audit to ensure that no other disks containing this data exist and to advise me once this audit is completed.” Commissioners from the UK, France and other jurisdictions have made similar requests.

ONLINE PRIVACY

Internet Explorer 10 To Keep DNT By Default (August 8, 2012)

Microsoft has announced it will keep its default do-not-track (DNT) setting in Internet Explorer 10 (IE10), Ars Technica reports. Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, said, “Customers will receive prominent notice that the selection of Express Settings turns DNT on.” Users will also have the option to opt out of DNT in the customize setting. Lynch added, “Our approach to DNT in IE10 is part of our commitment to privacy by design and putting people first…We believe consumers should have more control over how data about their online behavior is tracked, shared and used.”
Full Story

MOBILE PRIVACY—U.S.

Campaign App Discloses Nearby Voters (August 8, 2012)

The Washington Post reports on a mobile app created by the Obama campaign that shows a map with lists of the first and last names of nearby voters. The app is meant to help campaign volunteers canvass for potential voters and send the data back to the campaign. Privacy advocate Shaun Dakin has said the app is concerning because it reveals ages, potentially leading to targeted scams. Electronic Privacy Information Center Executive Director Marc Rotenberg said, “Party affiliation is public information, available through the state voter registration records…Still, both campaigns are digging deep into the private lives of voters.” (Registration may be required to access this story.)
Full Story

CLOUD COMPUTING

The Cloud and Its Privacy Risks (August 8, 2012)

TECHNEWSWORLD reports that privacy in the cloud “may be an illusion,” and businesses relying on the cloud should be aware of its privacy risks. Laws in the U.S., EU and elsewhere allow government agencies access to cloud data, and Mutual Legal Assistance Treaties facilitate cooperation across borders, allowing law enforcement to request data in any country that is a part of such a treaty. The report points to a recent whitepaper that concludes “it is not possible to isolate data in the cloud from governmental access based on the physical location of the cloud service provider or its facilities.”
Full Story

DATA PROTECTION—UK

Advocate: Gambling Industry “Ignores” Privacy Laws (August 8, 2012)

The founder of Privacy International, Simon Davies, has said the online gaming industry is failing to adequately protect its customers’ personal data and violates the UK’s Data Protection Act (DPA), computing.co.uk reports. After analyzing the industry for two years, Davies says many online sites collect vast amounts of personal information, including passport and credit card scans, driver’s licenses and utility bills. “All the available evidence indicates that this information is stored permanently,” Davies has said, adding that this constitutes a violation of the third and fifth principles of the DPA, the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

VA Improves Security, Other Breaches Persist (August 8, 2012)

GovernmentHealthIT reports on improvements in data protection at the Veterans Affairs Department due to the use of encryption. The department now encrypts all of its information operations laptops following a 2006 data breach involving the theft of a laptop containing data on millions of veterans. Additionally, the department’s chief information officer now oversees its IT operations, and privacy and security policies and procedures as well as employee training have been put in place. Meanwhile, COMPUTERWORLD reports that in the last three years, about 21 million patients’ medical records have been exposed in data security breaches large enough to require reporting to the federal government.
Full Story

PRIVACY LAW—BRAZIL

Brazil To Vote on Internet Bill of Rights (August 7, 2012)
Global Voices reports on Brazil’s Marco Civil da Internet—a proposed “bill of rights” for Internet users—which is expected to come to a vote before Congress on August 8. The bill “establishes a clear set of rights and responsibilities for users, sets strong net neutrality principles and shields Internet intermediaries from liability for illegal content posted by users,” the report states. The Bureau of Legislative Affairs of the Brazilian Ministry of Justice began collaborating with Rio de Janeiro Law School on the creation of the Marco Civil da Internet in 2009.

PRIVACY LAW—EU

Committee: Too Many Exceptions and Restrictions in EC Proposals (August 7, 2012)

The European Economic and Social Committee has said search engines, social networks and some cloud computing services should be brought within the scope of forthcoming European data protection reforms, Out-Law.com reports. The committee said the European Commission’s proposals need to be “more in line with the needs and expectations of the public,” and it is concerned about the number of exceptions and restrictions within the proposals. “The proposal could have gone further in increasing the protection offered by certain rights,” the committee said in a report, adding that the rules should be “applied more systematically to certain fields of economic and social activity.”
Full Story

DATA LOSS—UK

ICO Fines Health Trust £175,000 (August 7, 2012)

The Information Commissioner’s Office (ICO) has fined a health trust £175,000 for inadvertently publishing the sensitive personal information of approximately 1,000 staff members on its website in April 2011, The Independent reports. Torbay Care Trust released a spreadsheet that contained staff members’ sexual orientations and religious beliefs in addition to names, birth dates, salaries and National Insurance numbers. Describing the incident as “serious” and “extremely troubling,” the ICO’s investigation revealed that the organization has poor privacy guidance for staff. The ICO said the trust is “taking action to keep its employees' details secure."
Full Story

PRIVACY LAW—U.S.

ECPA Reform Would Require Warrant for Cloud Data (August 7, 2012)

WIRED reports on a proposal to amend the 26-year-old Electronic Communications Privacy Act (ECPA). Legislators have called for “sweeping changes…that for the first time would require the government to obtain a probable cause warrant to access data stored in the cloud,” the report states. “Communications technology is evolving at an exponential rate and, as such, requires corresponding updates to our privacy laws,” said Rep. Jerrold Nadler (D-NY), who is sponsoring the package with Rep. John Conyers Jr. (D-MI), adding, “This new legislation will ensure that ECPA strikes the right balance between the interests and needs of law enforcement and the privacy interests of the American people.”
Full Story

PRIVACY LAW—U.S.

Court: License Plate Decal Doesn’t Violate Privacy (August 7, 2012)

New Jersey’s Supreme Court has found that requiring young drivers to affix a red decal to their license plates is not an invasion of privacy, The Star Ledger reports. The court ruled 6-0 that the law mandating the decal does not violate the Driver’s Privacy Protection Act, which forbids the disclosure of information about a driver except that they are under 21 and hold a learner’s permit, examination permit or probationary license, the report states. Young drivers “have no reasonable expectation of privacy in their age group, because a driver’s age group can generally be determined by his or her physical appearance, which is routinely exposed to public view,” the court said.
Full Story

FINANCIAL PRIVACY—U.S.

Opinion: Access to Privacy Preferences Needed (August 7, 2012)

In a column for the Los Angeles Times, David Lazarus observes the difficulty consumers have when attempting to access their privacy settings with their financial institutions. Banks must notify customers annually that their personal data could be shared with third parties if they do not opt out, but informing customers of their previously stated privacy preferences is not a legal requirement, the report states. “This is a loophole that needs filling,” writes Lazarus, adding, “Otherwise, consumers will be needlessly confused every time they receive an obligatory annual notice informing them that their personal info could be shared.”
Full Story

PRIVACY LAW—JAMAICA

Jamaica To See Data Protection Act This Year (August 6, 2012)
Jamaica will enforce its Data Protection Act within this financial year, according to the Ministry of Science, Technology, Energy and Mining Minister of State Hon. Julian Robinson. Robinson told the House of Representatives on July 31 that the Data Protection Act aims to regulate the collection, processing, retention, use and disclosure of personal information. “There was a need for more uniform, robust and clear mandate to protect privacy and personal information,” Robinson said.

HEALTHCARE PRIVACY—AUSTRALIA

E-Health Reforms Expand Commissioner’s Powers (August 6, 2012)

FutureGov reports on Australia’s rollout of new privacy safeguards in the Personally Controlled Electronic Health Records program. Under the reforms, which expand upon existing obligations under Australia’s Privacy Act 1988, Australian Privacy Commissioner Timothy Pilgrim may seek civil penalties and enforce undertakings by organizations that fail to protect patient records. Healthcare providers are now obligated to refrain from collecting more patient information than is necessary and to ensure staff are appropriately trained in data protection. The reforms expand Pilgrim’s powers and allow consumers to make decisions about who sees their records and what information is shared with third parties.
Full Story

PRIVACY LAW—HONG KONG

New Ordinance Will Change Privacy Landscape (August 6, 2012)

Following Hong Kong’s Personal Data (Privacy) (Amendment) Ordinance (PDPAO) publication in the Government Gazette earlier this month, DLA Piper analyzes the key amendments that will be implemented in several phases, starting October 1. Key amendments of the PDPAO include the regulation of the use of personal data for direct marketing; regulation of third-party processors; new powers for the data protection authority to assist in civil actions and to verify data user returns’ accuracy, and new rules against unauthorized personal data disclosure and repeated violations of an enforcement notice. Provisions related to direct marketing and new regulatory powers are slated to go into effect in 2013. Editor’s Note: The Privacy Advisor recently caught up with Hong Kong Privacy Commissioner for Personal Data Allan Chiang for a Q&A.
Full Story

PRIVACY LAW—EU

Member States Concerned About Proposed EU Regulation (August 6, 2012)

Out-Law.com reports on a leaked file from the Council of Ministers containing concerns by the UK government about proposed EU data protection reforms. “We are of the view,” the file states, “that the proposed general regulation should be a directive in order to provide greater member state flexibility to implement the measures—a regulation would allow the EU to prescribe rules without necessarily giving due regard to national tradition and practice.” The leaked document was published by civil liberties organization Statewatch and contains the opinions of 20 European states on the proposed reform.
Full Story   

PRIVACY LAW—U.S.

Lawyers Ask for Reversal in Supreme Court Pilot Case (August 6, 2012)

A panel of lawyers has urged Congress to adopt legislation that would undo the Supreme Court’s decision in Federal Aviation Administration v. Cooper, reports Legal Times. In the case, the Supreme Court ruled pilot Stanley Cooper could not recover damages sought for emotional distress after government agencies shared his medical records. Ohio State University Moritz College of Law Professor Peter Swire, CIPP/US, said the Supreme Court’s interpretation of the Privacy Act was “more narrow than intended,” adding that “emotional harms that are proven to a judge are real harms here, and we should put that back in the law.” An ACLU spokesman said the ruling weakened the remedies for a breach.
Full Story

DATA LOSS—U.S.

Breaches Hit Health Orgs, EPA; Costly for LinkedIn (August 6, 2012)

In three separate incidents, Palm Beach County Health Department (PBCHD), Stanford's medical school and the Environmental Protection Agency (EPA) have announced personal data breaches. A PBCHD employee was fired for illegally accessing patient records to allegedly create a list for identity theft. Stanford School of Medicine officials have warned 2,500 patients their personal health data may have been breached after the theft of a computer, and the EPA confirmed that approximately 8,000 individuals’ Social Security numbers and bank routing numbers may have been exposed. Meanwhile, LinkedIn said that a breach earlier this year has already cost the company at least $1 million, SC Magazine reports. Editor's Note: The IAPP Privacy Academy will feature the breakout session, "Key Data Breach Mistakes and How You Overcome Them" in San Jose, this October.
Full Story

BIOMETRICS—U.S.

Commission Discusses Limits of “Anonymous” Data Research (August 6, 2012)

In blog.Bioethics.gov, the Presidential Commission for the Study of Bioethical Issues discusses genomic database security. The commission recently heard from experts on the topic of DNA trails and the difficulties of conducting research on “anonymous” genomic data. Laura Lyman Rodriguez, director of policy communication and education at the National Human Genome Research Institute at the National Institutes of Health, noted the risks in DNA itself. “Why would someone hack our servers to access my data when you could follow me to a coffee shop and grab a sample from my used coffee up?”
Full Story

PRIVACY LAW—U.S.

Senate Confirms Four to Oversight Board (August 3, 2012)
The U.S. Senate has confirmed four of the five nominees for the Privacy and Civil Liberties Oversight Board, writes Peter Swire, CIPP/US, for Concurring Opinions. Those confirmed are Rachel Brand, Elizabeth Cook, Jim Dempsey and Pat Wald. “This is good news,” Swire writes. “The importance of having the board in place has been underscored recently by the Senate’s consideration of the cybersecurity bill. If there is lots of information sharing, then there should be effective oversight of that sharing.” However, Swire adds, the board lacks a chairperson since that nominee was voted out, meaning the “Senate has more work to do on this.”

PRIVACY LAW—U.S.

Court: ZIP Code Ruling Applies Retroactively (August 3, 2012)

A U.S. District Court has upheld that the California Supreme Court’s ruling in Pineda v. Williams Sonoma that ZIP codes are personal information applies retroactively. Retail stores in California frequently ask for ZIP codes during purchase transactions, but Jessica Pineda filed suit after a 2008 visit to a Williams Sonoma store in California where a cashier asked for her ZIP code without telling her how the information would be used. The U.S. District Court has ruled that the decision applies retrospectively to a class-action lawsuit filed against OfficeMax. In this exclusive for The Privacy Advisor, Venkat Balasubramani examines the case and its implications.
Full Story

PRIVACY LAW—U.S.

Man Sues Tech Company for Data Breach (August 3, 2012)

A New Hampshire man has sued Yahoo for negligence after hackers accessed and disclosed as many as 450,000 users’ names and passwords, Bloomberg reports. Allan v. Yahoo has been filed in a San Jose, CA, federal court and seeks an order mandating the company compensate some of the users for account fraud and for failing to have adequate security measures in place at the time of the event, the report states. The hacker group responsible said it did not perform the attack for malicious reasons but to provide businesses with a wake-up call to better secure personal data.
Full Story

PRIVACY LAW—U.S.

Illinois Law Prohibits Employers from Asking for Social Media Passwords (August 3, 2012)

Illinois became the third state to pass a law prohibiting employers from requiring employees or job applicants to provide access to their social media accounts when Illinois Gov. Pat Quinn signed the bill Wednesday, The Wall Street Journal reports. Maryland and Delaware have passed similar laws. In addition, California is considering a similar bill, and Michigan and New Jersey have their own versions in the works. In total, at least 15 states have introduced social media legislation in some form, according to the attorney who advised the Illinois bill’s sponsor. (Registration may be required to access this story.) Editor’s note: For more on social media’s advantages and risks, read “Check: Are You Ready for Social Media?”
Full Story

PRIVACY LAW—U.S.

Cybersecurity Bill Dies in Senate (August 3, 2012)

The cybersecurity bill introduced by Sens. Joe Lieberman (I-CT) and Susan Collins (R-ME) has died in the Senate, The New York Times reports. The legislation failed to garner enough support in a cloture vote. The legislation, according to the report, “reflects a confluence of concerns over civil liberties and national security.” The one measure that survived would allow private businesses and government agencies to share data about cybersecurity threats. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Lawmakers Introduce ECPA Reforms (August 3, 2012)

Members of the House Judiciary Committee yesterday introduced legislation aimed at updating and clarifying the Electronic Communications Privacy Act (ECPA), NationalJournal reports. Submitted by Reps. John Conyers (D-MI) and Jerrold Nadler (D-NY), the bill would require law enforcement to obtain warrants for electronic communications and would set clear standards and notice obligations for when government authorities can access such data. Business Software Alliance President and CEO Robert Holleyman supports reform of ECPA, saying, “Any country that wants to succeed in the cloud needs clear and consistent rules to protect users’ privacy while enabling the free flow of data and commerce.”
Full Story

PRIVACY LAW—U.S.

Judge Concerned About Facebook Settlement (August 3, 2012)

Reuters reports on a U.S. judge’s “significant concerns” about a proposed legal settlement on Facebook’s “sponsored stories” feature. U.S. District Court Judge Richard Seeborg said at a hearing on Thursday that the company’s plan to pay $10 million for legal fees and $10 million to charity “doesn’t make any sense” and questioned why members of the class-action shouldn’t be allowed to recover money. Facebook’s attorney said changes to the site’s feature—including the ability for parents to opt their children out—have “significant benefit to the class.” Seeborg is not expected to make a final decision for several months, the report states.
Full Story

PRIVACY LAW—U.S.

DOC Reports on First Stakeholder Meeting (August 3, 2012)

The Department of Commerce National Telecommunications and Information Administration (NTIA) Director of Privacy Initiatives John Verdi reports on progress toward implementing the Obama administration’s Consumer Privacy Bill of Rights. The first stakeholder meeting drew hundreds of participants and raised “constructive suggestions regarding what elements might be included in the code,” Verdi writes, adding that the NTIA’s role will not be to weigh in on issues but to guide a transparent and consensus-based process. The NTIA will hold the next two stakeholder meetings August 22 and August 29 and has posted discussion lists from the last meeting. In the meantime, stakeholders have created a public mailing list to discuss the process.
Full Story

DATA LOSS—U.S.

Breaches Reported; Public-Sector Breach Numbers Rise (August 3, 2012)

Hospitals in Connecticut and Ohio have reported breaches of protected health information, while a Tennessee school district is notifying 9,200 students and employees that their personal data was compromised in a breach involving nine of the system’s databases. Meanwhile, Federal Times reports that the Government Accountability Office’s information security director told a Senate subcommittee this week that the number of federal data breaches rose 19 percent between 2010 and 2011.
Full Story

PERSONAL PRIVACY

The Rising Market of Personal Data Control (August 2, 2012)
CNN reports on the emerging personal data control market. As “the asset class of the twenty-first century,” consumers should view their personal information like “money in a bank,” the report states. According to Forrester Research, the business of personal data management is already worth billions and could grow within the next two years. More than $2 billion is spent annually in the U.S. harvesting consumer data from third parties. One expert says “cyber vaults”—cloud-based “hubs” that act as personal data safes and managers—could store financial, health and other personal information and ensure correct elements of a user’s data are provided to websites, potentially replacing traditional computers.

PRIVACY—U.S.

DHS CPO Departs To Initiate Privacy Practice (August 2, 2012)

U.S. Department of Homeland Security (DHS) Chief Privacy Officer (CPO) Mary Ellen Callahan, CIPP/US, has left the DHS to start a new privacy and information governance practice at the Jenner & Block LLP law firm, The Wall Street Journal reports. The DHS privacy office more than doubled and conducted upwards of 200 privacy impact assessments while Callahan served as CPO. Her last day in office was August 1, and Deputy Chief Privacy Officer Jonathan Cantor will fill the role until a new CPO is appointed, a DHS spokeswoman said. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

State’s Supreme Court Upholds Opt-Out Fee Program (August 2, 2012)

Maine’s Supreme Court has upheld the state’s public utilities commission (PUC) decision to allow Central Maine Power (CMP) to charge a fee to customers wishing to opt out of the company’s smart meter program, Info Law Group reports. CMP was one of the first utilities in the U.S. to face legal opposition to smart meter implementation after customers challenged the program in early 2011, alleging CMP’s smart meter installations violated their Fourth Amendment privacy rights. The PUC ruled the fee would be permitted, and, despite the customers’ challenge to the decision, Maine’s Supreme Court upheld the decision on July 12, stating the utility’s opt-out provision negated any privacy concerns.
Full Story

DATA PROTECTION—EU

ENISA Calls for End User, Service Provider Collaboration (August 2, 2012)

The European Network and Information Security Agency has called for collaboration between service providers and end users to protect online identities, ComputerWeekly reports. The agency said this week that in the first half of 2012, millions of citizens’ personal data was exposed due to data breaches, often affecting multiple sites at once. The agency published guidelines for online service providers on passwords, authentication systems and data breach notifications—which it believes will contribute to better data protection in the long term.
Full Story

PRIVACY LAW—U.S.

COPPA Modifications Play Catch-Up with Technology (August 2, 2012)

The New York Times reports on the FTC’s proposed modifications to the Children’s Online Privacy Protection Act Rule, which would “dictate that both the operator of a website that is directed at children and any third-party advertising network or application” would be responsible for complying. An FTC spokeswoman said the change would “close an apparent or possible loophole in the rule,” which was enacted four years before Facebook and the third-party apps it hosts. The proposal would also apply to a website that attracts both children and adults, requiring it ask a user’s age and then apply privacy protections to those under the age of 13. (Registration may be required to access this story.)
Full Story

SSN PRIVACY—U.S.

Lawmakers Press for Medicare ID Protections (August 2, 2012)

At a House Ways and Means Social Security subcommittee hearing yesterday, Rep. Sam Johnson (R-TX) queried why Medicare has not yet removed Social Security numbers (SSNs) from identification cards, the Associated Press reports. Medicare Chief Information Officer Tony Trenkle said the process will be more difficult than similar SSN removals completed by the Department of Defense and Veterans’ Affairs. Trenkle said IT systems would need updating, beneficiaries would need educating and budget priorities laid out by Congress would need reassessing. The Government Accountability Office estimates that SSNs on Medicare cards puts approximately 48 million beneficiaries at risk of identity theft.
Full Story

TRAVELERS’ PRIVACY—U.S.

Court Orders TSA To Open Body Scanner Comment Period (August 2, 2012)

A federal court has ordered the Transportation Security Administration (TSA) to explain why it has not offered a public comment period for the installation of body scanners in U.S. airports, Wired reports. The U.S. Circuit Court of Appeals for the District of Columbia gave the order after the third request by the Electronic Privacy Information Center (EPIC). The three-judge appellate court originally ruled the agency violated the Administrative Procedures Act by not initiating a 90-day public comment period. EPIC Executive Director Marc Rotenberg said the “order indicated that we have meritorious arguments.” The agency has until August 30 to respond.
Full Story

PRIVACY LAW—U.S.

Lawmaker Releases Draft Drone Privacy Bill (August 2, 2012)

Rep. Edward Markey (D-MA) has released a draft bill that would require drone operators and the Federal Aviation Administration (FAA) to meet privacy standards, The Hill reports. The bill would mandate that operators disclose what information is collected and how it’s used; law enforcement develop data minimization procedures, and the FAA consider privacy issues in its rule-making process for distributing commercial drone operating licenses. Markey said “just because a company soon will be able to register a drone license shouldn’t mean that company can turn it into a cash register by selling consumer information.”
Full Story

ONLINE PRIVACY

Experts: IPv6 Has Its Trade-Offs (August 2, 2012)

ZDNet reports IPv6 will allow for more unique IP addresses on the web, but it also “brings about a conflict between privacy and security,” according to experts. In IPv6, IP addresses will be globally unique, which expert Dick Bussiere says will mean users can be more easily tracked online. However, because of the increase in the number of IP addresses, it will also take cybercriminals more time to find their targets. Another expert says IPv6 has its trade-offs, and individuals and organizations “must choose where they want to be on the scale of security and privacy, considering the technologies available to them and how they can configure it.”
Full Story

PRIVACY LAW—U.S.

FTC Seeks Comments on Additional COPPA Proposals (August 1, 2012)
The Federal Trade Commission is seeking public comments on additional proposed modifications to the Children’s Online Privacy Protection Act Rule. The commission is publishing a Federal Register notice after receiving 350 comments since its September 2011 request for input and now proposes modifying certain definitions to clarify the rule’s scope to strengthen protections for the collection, use or disclosure of children’s personal information. The commission proposes changes to clarify the definitions of the terms “operator” and “website or online service directed to children” under the rule, as well as the definition of “personal information.” Public comment on the proposals will be accepted until September 10.

PRIVACY LAW—U.S.

FTC Reportedly Reaches $22.5 Million Settlement with Google (August 1, 2012)

Reuters reports that the Federal Trade Commission (FTC) has reached a $22.5 million settlement with Google over charges the company bypassed Apple Safari users’ privacy settings. The report cites a source familiar with the agreement as confirming the FTC voted to approve the consent decree while allowing the company to admit no liability in the case. An official announcement is expected soon.
Full Story

PRIVACY LAW—EU & FRANCE

CNIL Asks To Examine Street View Data (August 1, 2012)

The French data protection authority (CNIL) has asked Google to make undeleted payload data from its Street View project available for analysis, The New York Times reports. The move comes days after the UK’s Information Commissioner’s Office (ICO) announced a similar inquiry. The CNIL said that like the ICO, it has asked the company to keep the data in question “secure while the necessary investigations are conducted.” Google Global Privacy Counsel Peter Fleischer said the company learned some of the data still existed during a “comprehensive manual review of our Street View disk inventory.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Senators, Experts: 1974 Privacy Act Is Out of Date (August 1, 2012)

At a Senate subcommittee hearing yesterday, Sen. Daniel Akaka (D-HI) said “much of the Privacy Act remains stuck in the 1970s,” and, “As a result, the act is difficult to interpret and apply, and it provides inconsistent protection to the massive amount of personal information in the hands of the government,” the NationalJournal reports. Akaka has introduced legislation to update the act, which includes a provision creating a federal chief privacy officer (CPO). At the hearing, Ohio State University Law Professor Peter Swire, CIPP/US, urged Congress to appoint members to the Privacy and Civil Liberties Oversight Board, and Department of Homeland Security CPO Mary Ellen Callahan, CIPP/US, discussed her agency’s privacy efforts.
Full Story

DATA LOSS—CANADA

OIPC: Systemic Failures in Voter Data Processing (August 1, 2012)

An investigation by Ontario Information and Privacy Commissioner Ann Cavoukian has revealed that Elections Ontario demonstrated “systemic failures” when handling voter data. Cavoukian said she was “deeply disturbed” that the agency did not properly train staff, The Globe and Mail reports. Days after misplacing USB keys containing the personal information of 2.4 million voters, staffers still used unencrypted memory sticks, according to the investigation. Cavoukian has recommended the agency appoint a chief privacy officer and develop a privacy training program for staff.
Full Story 

ONLINE PRIVACY

The Pros and Cons of Highly Interconnected Systems (August 1, 2012)

In a column for MIT’s Technology Review, John Palfrey and Urs Gasser discuss the theory of highly interconnected systems—what they call “interop.” As we move toward smart grids and electronic health records—systems designed to help society—“we can take this interconnection too far, without thinking through its consequences first,” they write, adding, “Security and privacy risks are the most common problems that flow from unchecked levels of interoperability.” Both argue “that we need to get interop right if we are to address some of the biggest challenges of our era…We cannot take this flow of information for granted; it has to be planned and managed.” Editor’s Note: Urs Gasser will speak at the IAPP Navigate 2012 executive forum, to be held in conjunction with the IAPP Privacy Academy in San Jose, CA, this October.
Full Story

PRIVACY LAW—MACAU & U.S.

Authorities Investigating Data Transfer (August 1, 2012)

Macau privacy authorities are investigating a U.S.-owned gambling empire over its handling of documents related to a lawsuit by its former CEO, The Washington Post reports. Sands China Ltd. said it has been notified by Macau privacy authorities that an official investigation has been launched into the alleged transfer of data from Macau to the U.S. The former CEO’s wrongful termination lawsuit alleges the company withheld documents, but Sands China lawyers say the files were transferred out of Macau in error. Macau’s privacy regulations “require consent and notification of authorities before personal data can be transmitted out of the territory,” the report states. Hearings have been scheduled for August 30 and 31. (Registration may be required to access this story.)
Full Story

BIG DATA—U.S.

Data Aggregation Concerns Lawmakers, Advocates (August 1, 2012)

TIME reports on concerns about big data following eight lawmakers’ recent announcement that they will investigate data aggregators’ collection of personal data. The director of the Center on Law and Information Policy at Fordham University’s School of Law said, “They’ll pick out seemingly innocuous information. Most people wouldn’t think twice about each individual data point, but you can connect the dots.” Lawmakers and privacy experts are particularly concerned about whether individuals’ online reputations could be used against them. Credit reports, for example, are sometimes erroneous, and without access to consumer profiles, individuals don’t know how third parties are viewing them.
Full Story