Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

MOBILE PRIVACY—U.S.

California Issues App Developer Noncompliance Notice (October 31, 2012)
California Attorney General Kamala Harris has reportedly sent out notices warning as many as 100 mobile app developers that they must conspicuously post privacy policies within the next 30 days to be in compliance with the California Online Privacy Protection Act, Bloomberg reports. The new state protocol requires mobile applications that collect personal data within the state to post a privacy policy stating what data is collected and how it will be used. Harris said, “We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws.”

ONLINE PRIVACY

Yahoo To Ignore Default DNT Settings (October 31, 2012)

Yahoo has announced that it will ignore Internet Explorer 10’s default do-not-track (DNT) settings, InformationWeek reports, indicating the setting “ignores the wishes of its users.” The browser will continue to offer its Ad Interest Manager, which allows users to make choices about the online ads targeted to them, and other tools. “Ultimately, we believe that DNT must map to user intent—not to the intent of one browser creator, plug-in writer or third-party software service,” Yahoo said in a statement.
Full Story

DATA LOSS—UK

ICO Warns NHS of Potential Breach Fines (October 31, 2012)

The Information Commissioner’s Office (ICO) has warned of additional fines to National Health Service organizations if they continue to not meet data protection obligations, Publicservice.co.uk reports. The warning comes on the heels of news that the medical data of as many as 1.8 million patients has been at risk within this year, the report states. An ICO spokesman told The Daily Dashboard, “The monetary penalties we issue are a very important way to discourage others from making the same data protection mistakes. In order to issue a monetary penalty, we have to fulfill the criteria set out in our statutory guidance. This includes demonstrating that the breach caused, or had the potential to cause, substantial damage and distress to those individuals affected and the organization knew or ought to have known that the breach could occur but still failed to take action. Where this criteria is met, we will consider serving an organization with a monetary penalty.”
Full Story

PRIVACY LAW—U.S.

Judge: DEA’s Warrantless Surveillance Did Not Violate Law (October 31, 2012)

CNET News reports on a U.S. District Court ruling that, in some circumstances, police are allowed to install hidden surveillance cameras on private property without a warrant. U.S. District Court Judge William Griesbach has ruled Drug Enforcement Administration (DEA) agents had reason to “enter rural property without permission—and without a warrant” to install surveillance cameras to investigate suspected criminal drug activity. Griesbach’s ruling upheld a recommendation by U.S. Magistrate Judge William Callahan stating the DEA did not violate the law as “The Supreme Court has upheld the use of technology as a substitute for ordinary police surveillance.”
Full Story

HEALTHCARE PRIVACY—U.S.

Opinion: Finding the Healthcare Privacy Balance (October 31, 2012)

In this exclusive for The Privacy Advisor, experts share perspectives on the questions and challenges surrounding healthcare IT and privacy. John Christiansen, a Seattle-based healthcare lawyer focusing on IT, privacy and security issues, writes, “It’s not always easy to strike the right balance between privacy and other values” and explores two healthcare situations—“one at the operational level involving emergency access to information and the other at the policy level involving the shutdown of the HIPAA individual identifier by privacy advocates.” Experts Rick Kam, CIPP/US, and Doug Pollack, CIPP/US, discuss the balance between electronic health records and patient privacy.
Full Story

ONLINE PRIVACY—CANADA

Commissioner Releases Paper on Personal Data Ecosystem (October 31, 2012)

Information and Privacy Commissioner of Ontario Ann Cavoukian, with co-authors from Europe and the U.S., has released a paper, Privacy by Design and the Emerging Personal Data Ecosystem, that highlights new technologies enabling Internet users to have more control over their data. "Privacy is all about control,” Cavoukian says in a news release, adding, “that is why I am taken with the promise of the emerging Personal Data Ecosystem. New technologies…give individuals a central point of control for their personal information and the ability to decide what information to share, with whom and under what conditions.”
Full Story

PRIVACY LAW—U.S.

Courts’ Definitions of Harm Widening in Breach Cases (October 30, 2012)
CSO reports on federal courts’ widening definition of damages from data breaches. This “sea change” leaves unprepared companies at risk when it comes to class-action lawsuits, according to lawyers from the firm Pepper Hamilton. Until recently, courts would dismiss data breach lawsuits that couldn’t prove specific harm. But courts “are starting to pick up on the fact that the data that can get out there can cause serious harm, maybe not immediately but sometime in the near future,” lawyer Jeffrey Vagle said. A recent survey found the average settlement award for class-action data breach suits to be $2,500 per plaintiff.

PRIVACY LAW—SOUTH AFRICA

Pending Privacy Bill Could Cost 35,000 Jobs, Observer Says (October 30, 2012)

According to one critic, South Africa’s proposed Protection of Personal Information Act (PPI) could cause as many as 35,000 citizens to lose their jobs, ITWeb reports. The PPI is expected to limit unwanted telemarketing calls and spam, the report states. CareerCall’s Andy Quinan says the bill could affect the call-sector industry and stifle entrepreneurs who use telemarketing as a cost-effective marketing tool. Quinan has based his estimate on the 2008 C3Africa National BPO Survey.
Full Story

DATA PROTECTION—UK

ICO Looking Into Police Data Collection, Retention (October 30, 2012)

The Information Commissioner’s Office (ICO) is investigating claims against Kent police over data collection and retention activities, This is Kent reports. A spokesman for the ICO said, “If police forces are examining the content on mobile phones and are wanting to use that information, this would need to comply with the Data Protection Act.” He added the office is “looking at this issue and will be considering whether any action is necessary to help ensure compliance…” Meanwhile, a spokesman for the Home Office said that although information about suspects is crucial, police “should only be extracting and retaining data relevant to criminal investigations or for other permitted purposes.”
Full Story 

TRAVELERS’ PRIVACY

Group Warns of Public Transit Privacy Concerns (October 30, 2012)

Privacy International is warning that public transportation companies voluntarily share personal information about travelers with law enforcement agencies, IDG News Service reports. “Every single authority and company we have spoken to so far has shocking practices,” said a spokesman from Privacy International, which has polled 48 transport authorities and companies globally to ask how they handle personal information stored on public transportation cards. “The problem with smart cards is that they record a very fine grain of information,” the spokesman added, in some cases including bank details, e-mails, passwords and telephone numbers. While court orders are required in some countries, that is not the case for others.
Full Story 

DATA PROTECTION

Cyber Liability Insurance Awareness Is Growing (October 30, 2012)

Out-Law.com reports on a survey revealing that 60 percent of businesses do not have cyber liability insurance, but according to one expert, companies are becoming more aware of it. The Advisen survey report states that 52 percent of businesses not currently covered have no plans to gain the insurance in the next year. Pinsent Masons’ Ian Birdsey said, “When you consider the frequency, severity and exposure of security and data breaches,” it’s “surprising” that 52 percent are not considering the insurance. Birdsey noted that “the test remains whether advocates for data risks or cyber liability insurance cover at general counsel or chief privacy officer level can persuade their management teams to allocate budget to buy cover in the next financial year.”
Full Story

CONSUMER PRIVACY—U.S.

Presidential Election May Alter Fate of Privacy Bill of Rights (October 30, 2012)

Privacy experts and advocates discuss the uncertainty of the Obama administration’s “privacy bill of rights” under a potential Romney presidency in a BNA Bloomberg report. Romney representatives have said the candidate may be open to reviewing the proposed plan. Consumer Watchdog’s John Simpson said Romney is “an advocate of less regulation on business, so I don’t see much hope that he would be concerned about privacy.” Hogan Lovells Partner Christopher Wolf said that “one can expect that the current executive branch initiatives to improve consumer privacy will not continue in a Romney administration.” A Romney spokeswoman said, as president, Romney “will review the regulatory regime to ensure that strong and transparent protections are in place.”
Full Story

ONLINE PRIVACY—U.S.

Presidential Campaigns Ramping Up Online Tracking (October 29, 2012)
The New York Times reports on the online tracking of consumers by both U.S. presidential campaigns. “One of the hallmarks of this campaign,” the article states, “is the use of increasingly complex—but not always accurate—data-mining techniques to customize ads for voters based on the digital trails they leave as they visit Internet sites.” According to an Evidon report, both campaigns have increased their online tracking beyond that of many popular retailers, the report states. Some privacy advocates worry that collected data could be used for secondary purposes, giving businesses a window into users’ political beliefs. The ACLU’s Chris Calabrese said, “We simply don’t know how this information is going to be used in the future and where it is going to end up.” (Registration may be required to access this story.)

PRIVACY LAW—EU

Regulators Looking Into Microsoft Changes (October 29, 2012)

Luxembourg and other EU data protection commissions (DPCs) are looking into whether changes Microsoft made to its Internet products Hotmail and Bing bring new privacy risks for users and comply with the region’s standards on notice and choice, reports The Washington Post. President of the Luxembourg DPC Gerard Lommel acknowledged that possible issues “can neither be excluded nor confirmed” in this case, suggesting the review is not on the level of a recent investigation into Google’s privacy policy changes “where clear privacy issues had been identified.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Advocacy Group To Fight Settlement at Hearing (October 29, 2012)

A California court will hear arguments next month against a proposed settlement between Google and the Federal Trade Commission (FTC), IDG News Service reports. The $22.5 million settlement is the largest fine handed down by the FTC thus far and stems from Google’s use of cookies to track users of Apple’s Safari browser. Privacy advocates have criticized the settlement for being “too soft,” the report states. Advocacy group Consumer Watchdog will argue at the November 16 hearing that the deal does not prevent Google from conducting similar tracking in the future and does not require the company to destroy information gleaned from past tracking.
Full Story 

DATA THEFT—U.S.

Credit Report Data Security Questioned (October 29, 2012)

Bloomberg reports on the theft of credit reports and questions whether adequate security is being employed to protect credit reporting databases. Instead of directly targeting the big three credit bureaus, data thieves often target affiliated businesses that utilize credit background checks. Sen. Richard Blumenthal (D-CT) said, “This is profoundly important because it illustrates a growing problem when it comes to data breaches and security—the chain is only as strong as its weakest link,” adding, “If their customers have inadequate security practices, so do the credit bureaus.” A spokesman for Experian said, “We continue to invest in the security systems we have in place to protect our clients and consumers.”
Full Story

PRIVACY LAW—EU

Reding Hints at Data Protection Concessions for SMEs (October 29, 2012)

At a Home Affairs Council meeting in Luxembourg last week, EU Justice Commissioner Viviane Reding said she was willing to offer some concessions to small-medium enterprises (SMEs) and the public sector in revisions to the data protection regulation, COMPUTERWORLD UK reports. Though the regulation needs the “right firmness of touch,” Reding said she did not want SMEs to be overburdened. “The commission is prepared to look at whether this SME exemption could be broadened to other areas and that we can also look to add further flexibility through an approach that takes into account the amount and sensitivity of the data processed,” Reding said, adding, “One thing is clear: There can be no general exemption for the public sector.”
Full Story

MOBILE PRIVACY—U.S.

Rules Surrounding App Data Collection a “Gray Area” (October 29, 2012)

The New York Times reports on the gray legal area surrounding mobile apps. The law has not kept pace with advances in technology, resulting in online businesses’ collection of large volumes of personal data. Meanwhile, users are often oblivious. “Generally, most people are simply unaware of what is going on,” said one expert. App developers’ data collection practices are loosely regulated in the U.S., the report states. California Attorney General Kamala Harris recently reached an agreement with six leading companies that they would only sell or distribute apps with privacy policies, the report states. Meanwhile, in Europe, revisions to the data protection regulation would require consumer consent before data collection on the web. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

SSNs Exposed in Data Breaches (October 29, 2012)

A data breach at the South Carolina Department of Revenue has exposed as many as 3.6 million Social Security numbers and 387,999 credit card numbers, SecurityWatch reports. The breach was the result of a cyber attack against the department’s systems in mid-September. The Social Security numbers were not encrypted. The state’s chief consumer advocate is calling for privacy laws to be strengthened to tell agencies how to guard against a breach. Meanwhile, employees of the Hillsborough Area Regional Transit Authority in Florida have been alerted that their Social Security numbers and bank information may have been compromised.
Full Story 

PRIVACY LAW—U.S.

FTC Finalizes Two Privacy Settlements (October 29, 2012)

The Federal Trade Commission (FTC) has finalized settlements with two companies for allegedly illegally exposing the sensitive personal information of thousands of consumers through the installation of peer-to-peer file-sharing software on computer systems. The settlements are with EPN, Inc., and Franklin Budget Car Sales, Inc., and will “bar misrepresentations about the privacy, security, confidentiality and integrity of any personal information collected from consumers,” the FTC press release states. The companies must also create and maintain comprehensive information security programs.
Full Story

PRIVACY LAW—U.S.

Plaintiff Seeks To Revive Pandora Lawsuit (October 26, 2012)
A Pandora user is seeking to revive a privacy lawsuit in a federal appeals court, MediaPost reports. Originally dismissed by U.S. District Court Judge Saundra Brown Armstrong last month, plaintiff Peter Deacon has alleged that Pandora violated a Michigan privacy law by disclosing his “sensitive listening records” to his friends. Armstrong ruled that Deacon could amend his complaint, but he has chosen not to, setting the stage for an appeal to the 9th Circuit Court of Appeals, the report states. Deacon’s lawyer has said his firm is “looking forward to making our arguments to the 9th Circuit.”

CHILDREN’S PRIVACY—U.S.

FTC’s Proposed COPPA Changes Could Face Legal Challenge (October 26, 2012)

NationalJournal reports on a potential legal backlash against the Federal Trade Commission (FTC) if it pursues proposed changes to the Children’s Online Privacy Protection Act. At a forum Thursday, TechFreedom President Berin Szoka and others cited specific issues with the proposed changes, including expanding the definition of personally identifiable information to cover persistent identifiers, a move they believe could hamper website functionality and innovation, the report states. Szoka said, “The FTC should take the time next year, probably hold a workshop and discuss these things and issue a revised rule,” adding, “If they don’t, they will be sued.”
Full Story

SURVEILLANCE—U.S.

Lawmakers Discuss Domestic Drone Use (October 26, 2012)

House Judiciary Committee lawmakers, along with academics and privacy advocates, on Thursday discussed legislation to restrict the domestic use of unmanned aerial vehicles (UAVs), The Hill reports. Rep. Ted Poe (R-TX) has urged Congress to consider the Preserving American Privacy Act. The proposed legislation would limit drone use to law enforcement with a warrant and in felony investigations. Rep. Michael McCaul (R-TX) said there is “a real benefit and use” for UAVs along U.S. borders and for law enforcement but added that he would support limiting their domestic use.
Full Story

TRAVELERS’ PRIVACY—U.S.

TSA Removing X-Ray Scanners from Large Airports (October 26, 2012)

The Transportation Security Administration (TSA) is removing full-body X-ray scanners from seven of the nation’s largest airports and replacing them with scanners that produce a cartoon-like image, reports the Associated Press. The TSA says it is making the move to speed up lines, not to protect travelers’ privacy, the report states. The American Civil Liberties Union’s Jay Stanley said, “Hopefully this represents the beginning of a phaseout of the X-ray-type scanners, which are more privacy-intrusive and continue to be surrounded by health questions.” (Registration may be required to access this story.)
Full Story

EMPLOYEE PRIVACY—U.S.

NJ Senate Passes Applicant Privacy Bill (October 26, 2012)

New Jersey’s Senate has passed a law to prevent employers from requiring applicants to provide access to private accounts, NJTODAY.NET reports. The Assembly passed a similar bill in June. “There are plenty of other steps in a job application process for employers to gain a profound understanding of an applicant’s experience, fitness and personality,” said Republican State Sen. Kevin O’Toole, adding, “Applicants should not have to choose between preserving their due privacies and earning incomes.” The bill also bans “associated discrimination or retaliation” and allows applicants to sue for damages in the event of violations, according to the report.
Full Story

DATA PROTECTION—U.S.

Businesses Struggle with Mass. Compliance, Enforcement Ramping Up (October 26, 2012)

In an exclusive for The Privacy Advisor, David Governo and Corey Dennis, CIPP/US, discuss the ways in which businesses are grappling with Massachusetts data privacy laws, which became effective in March 2010 and are among the nation’s most stringent. They require businesses to establish “physical, administrative and technical information security measures to safeguard personal information” and to develop a written program outlining such safeguards. Enforcement of data privacy laws is expected to increase, Governo and Dennis write, noting an initiative by the National Association of Attorneys General exploring ways to protect online privacy.
Full Story

PRIVACY—U.S.

FTC Working on Data Collection Nutrition Label (October 25, 2012)
The Federal Trade Commission (FTC) is working on a nutrition label for data collection, Law360 reports. FTC Chairman Jon Leibowitz says the label would act as a “disclosure mechanism that websites can customize to succinctly tell consumers what kind of data they are collecting and how they are using it.” The news follows calls from academics and advocates for companies to create privacy policies that are accessible and easy-to-read and understand for the average consumer. (Registration may be required to access this story.)

PRIVACY—U. S.

Privacy and Civil Liberties Oversight Board To Hold First Public Meeting (October 25, 2012)

The Privacy and Civil Liberties Oversight Board will hold its first public meeting this month, according to a notice in the Federal Register. The board, which aims to provide privacy oversight on U.S. surveillance and security measures in the fight against terrorism, had remained dormant since 2007, inciting widespread criticism. President Barack Obama appointed new members to the board in 2011, and the Senate confirmed four of five nominees earlier this year. The aim of next Tuesday’s meeting is to gather feedback from nongovernmental organizations and members of the public on priorities the board should consider on its forthcoming agenda. The public portion of the meeting will take place from 10 a.m. to noon on October 30 in Washington, DC.
Full Story

DATA LOSS—UK

ICO Fines Council £120,000 (October 25, 2012)

The Information Commissioner’s Office (ICO) has fined Stoke-on-Trent Council £120,000 after sensitive personal information was e-mailed to the incorrect recipient, Publicservice.co.uk reports. The council failed to resolve issues raised by an earlier and similar incident by failing to provide a legal department with encryption software and lacking data protection training, the report states. ICO Head of Enforcement Stephen Eckersley said “the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.”
Full Story

FINANCIAL PRIVACY

Breach Report: 174 Million Records Compromised in 2011 (October 25, 2012)

According to Verizon’s Data Breach Investigations Report, 174 million records were compromised in 855 data breach incidents in 2011, Out-Law.com reports. Calling it “an all-time low” for data breach protection, the report revealed that 96 percent of organizations required to follow the Payment Card Industry Data Security Standard (PCI DSS) that experienced a breach—according to Verizon’s “caseload”—were not compliant with PCI DSS. The Verizon report stated, “We are seeing a continuing trend whereby more of the organizations that fall in the 96-percent tend to be on the small side,” adding, “In many cases, these organizations have either failed to perform their assessments or failed to meet one or more of the requirements.”
Full Story

DATA PROTECTION—SINGAPORE

Gov’t Considers Banning Free Phone Books (October 25, 2012)

Singapore is considering halting the publication of free telephone directories due to privacy concerns, reports AFP. Concerns about the listing of residential and office numbers has prompted the Infocomm Development Authority of Singapore (IDA) to publish a consultation on whether “it is still necessary to maintain the regulatory requirement for Directory Services.” The IDA notes “increasing public awareness, and concerns, about use and protection of personal data.” Singapore’s Parliament passed a data protection law earlier this month that includes a Do-Not-Call registry, provisions on private-sector use of personal data and the creation of a new enforcement agency, which may fine noncompliant organizations.
Full Story

PRIVACY

FPF Announces Privacy Papers for Policy Makers 2012 (October 25, 2012)

The Future of Privacy Forum (FPF) has announced this year’s selections for its Privacy Papers for Policy Makers. Of the more than 35 entries, eight were selected. The papers cover topics such as Privacy by Design, online behavioral advertising, mobile privacy, government surveillance, de-identification and social networking. FPF Founder and Co-chair Christopher Wolf said, “Improving privacy protection is vitally important in this technology age, so we are delighted to help build a bridge of communication between privacy scholars and privacy policy makers.” FPF Director and Co-chair Jules Polonetsky, CIPP/US, said, “These writings offer some of the most compelling and innovative viewpoints that we hope policy makers consider as they look to address privacy issues.”
Full Story

PRIVACY LAW—EU & U.S.

How Will Elections Impact Privacy? (October 25, 2012)

In an exclusive for The Privacy Advisor, Mathew Schwartz reports on how potential changes in leadership may affect privacy rights around the world. The U.S. presidential election in November will be followed by Ireland’s resumption of the EU presidency for six months in January, while the UK will take on the presidency of the Group of Eight (G8). Questions persist in the U.S. on finding a balance between innovation and data protection, Schwartz writes, and in the UK, the question of whether the G8 could be used as a platform for eliciting change in privacy law cannot yet be “answered in detail.”
Full Story

GEO PRIVACY—U.S.

The Growing Use of GPS Tracking Devices (October 24, 2012)
The New York Times reports on the use of GPS tracking devices by families. The small, beeper-like gadgets can be placed in a car to follow a teenager or spouse, in a child’s backpack to ensure the child gets to and from school safely or embedded in medical-alert technology to provide emergency help to the elderly. The user can track a subject’s location via the web or smartphone app—and some companies offer multiple tracking services. This “kind of air-traffic control panel of familial concern” raises issues of privacy and personal space, the report states. (Registration may be required to access this story.)

DATA THEFT—U.S.

PIN Pads Breached at Barnes & Noble Stores (October 24, 2012)

Credit card information of Barnes & Noble customers has been stolen by hackers at 63 store locations across the country, The New York Times reports. The bookseller discovered the breach in September and was instructed by the Justice Department to keep the matter under wraps so the FBI could investigate. The hackers allegedly accessed the financial data via PIN pads placed at store registers. Though breach notification varies by state, Morrison & Foerster Attorney Miriam H. Wugmeister said, “If you have a breach that included name plus credit card information, but the credit card information was encrypted, you would not have to provide notice.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Court Allows Path Lawsuit To Move Forward (October 24, 2012)

A judge has allowed a lawsuit against mobile app developer Path to proceed, MediaPost reports. The company has been urging the court to dismiss the suit, claiming users did not suffer economic harm, but U.S. District Court Judge Yvonne Gonzalez Rogers found that a user sufficiently alleged harm in the case. The company is accused of violating users’ privacy after it was discovered that users’ address books were uploaded without consent. A second class-action lawsuit against the company is pending in a federal court in Austin, Texas.
Full Story

PRIVACY LAW

EFF Fights Energy Company’s Subpoenas (October 24, 2012)

A privacy group is advocating against an energy company’s subpoena seeking information on dozens of e-mail accounts, Courthouse News Service reports. Following a $19 billion judgment in favor of Ecuadorean aborigines and farmers against Chevron for an oil contamination, the company has filed subpoenas for information—including IP addresses and time stamps—about Yahoo and Google users, calling the verdict “extortionate fraud.” In response to the subpoenas, the Electronic Frontier Foundation has filed an amicus brief stating that the release of the information the company seeks would intrude on the privacy of the John Does involved, adding the court “should not permit Chevron’s unnecessary and unwarranted fishing expedition” without sufficient cause.
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Reports Breach (October 24, 2012)

A Tennessee hospital is notifying 27,000 patients that their personal information has been compromised, knoxsnews.com reports. Blount Memorial Hospital says a laptop was stolen during a burglary in August. The laptop contained 22,000 patient names, dates of birth, addresses and billing information, among other details, and the Social Security numbers of about 5,000 additional patients. The hospital has alerted the U.S. Department of Health and Human Services Office for Civil Rights.
Full Story

TRAVELERS’ PRIVACY—U.S.

Supervisor Calls for Public Transit Card Privacy (October 24, 2012)

A San Francisco supervisor is calling for stricter privacy controls surrounding “Clipper cards” used to pay for public transportation. Supervisor Jon Avalos has introduced a resolution to ensure that “people who are using Clipper cards can actually be protected against any use of information about where they go and what their whereabouts are,” The San Francisco Examiner reports. The cards do not contain personal information, according to a Metropolitan Transportation Commission spokesman, but do contain travel logs on a passenger’s past 10 trips. The agency is required by state law to provide travel information when subpoenaed, the spokesman said.
Full Story

HEALTHCARE PRIVACY—U.S.

Lawmakers Call for Improved Medicare ID Theft Prevention (October 24, 2012)

Reps. Wally Herger (R-CA) and Sam Johnson (R-TX) are calling on the Department of Health and Human Services (HHS) to remove users’ Social Security numbers from Medicare cards, The Hill reports. Citing a recent report that found flaws in the way the HHS responds to Medicare identity theft, Johnson said, “This report is a wakeup call for (the Medicare agency) to heed the advice of its own inspector general and take immediate action to develop a new system for protecting seniors from medical identity theft.”
Full Story

PRIVACY LAW—U.S.

FTC Reaches Settlement with Analytics Company (October 23, 2012)
The Federal Trade Commission (FTC) has reached a settlement with web analytics company Compete, Inc., for allegedly misrepresenting its data collection practices and failing to adequately secure collected data, MediaPost reports. The company has agreed to destroy data collected from users prior to February of 2010 and to undergo biennial audits for the next 20 years. According to the FTC, the company did not appropriately disclose “the full extent of data collected through tracking software,” and such a failure “was, and is, a deceptive act or practice.” Compete said, “We will continue to develop and uphold new standards for transparency and security.”

SURVEILLANCE

UN Wants “Anti-Terror” Internet Surveillance (October 23, 2012)

The United Nations (UN) has released a report calling for more surveillance of Internet traffic and users for the purpose of undermining terrorist activity, CNET News reports. “The Use of the Internet for Terrorist Purposes” states, “One of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.” The 148-page report notes that terrorists use social networks to spread propaganda. UN Executive Director Yury Fedotov said, “Potential terrorists use advanced communications technology, often involving the Internet, to reach a worldwide audience with relative anonymity and at a low cost.”
Full Story

ONLINE PRIVACY—U.S.

Microsoft To Clarify Privacy Rule Changes (October 23, 2012)

Microsoft has said it will clarify part of its new disclosure policy to explicitly state that it will not use personal information gleaned from certain free services for targeted advertising, The New York Times reports. Rep. Edward J. Markey (D-MA) sent a letter Monday to the company expressing concerns that the move would allow Microsoft to compile “detailed, in-depth consumer profiles.” In a statement, Microsoft said, “We appreciate the feedback we’ve received, and as a result, we will update the agreement as soon as possible to make that point absolutely clear.” (Registration may be required to access this story.)
Full Story

CHILDREN’S PRIVACY—U.S.

Chain Removes Sharing Feature Following COPPA Complaint (October 23, 2012)

McDonald’s has removed social networking features in some of its online games following complaints from a privacy advocacy group, The Washington Post reports. The Center for Digital Democracy filed a complaint with the Federal Trade Commission last month that the restaurant chain was violating children’s privacy laws by, without requiring parental consent, asking children to list the e-mail addresses of friends as part of a “tell-a-friend” feature on HappyMeal.com. McDonald’s said it has removed the feature and the online security of its guests “remains a top priority.” (Registration may be required to access this story.)
Full Story

GEO PRIVACY

Judge Concerned About Warrantless Cell Tracking (October 23, 2012)

A Texas judge has concerns about the ways law enforcement agents are using technology to gain data on cell phones in particular areas, The Wall Street Journal reports. Magistrate Judge Brian Owsley recently denied two federal requests for warrantless cell phone tracking, noting the government should apply for warrants. The judge says he’s concerned agents and U.S. attorneys don’t understand the technology. “Without such an understanding, they cannot appreciate the constitutional implications of their requests,” Owsley wrote in an order last month, adding there has been no discussion around how data retained on innocent people would be used. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Consumer Privacy Allegations (October 23, 2012)

A federal judge has dismissed much of a class-action suit over a data breach at Sony’s Playstation Network in April 2011, Courthouse News Service reports. The suit alleges hackers were able to access the gaming network because the company negligently ”failed to provide adequate firewalls and safeguards” for users’ personally identifiable information. Sign-up for the games requires users to provide names, mailing addresses, e-mail addresses, birthdays and credit and debit card information, the report states. The suit alleges Sony should have known the system was vulnerable to an attack. A U.S. District Court judge has dismissed several of the suit’s claims, including violations of California consumer protection statutes.
Full Story

PRIVACY LAW—CANADA

Supreme Court: Employees Have Computer Privacy Rights (October 22, 2012)
The Supreme Court of Canada has ruled that employees have some privacy rights over workplace computers and that computers should not be searched by law enforcement without a warrant, the Toronto Star reports. In the 6-1 ruling, the court wrote, “Computers that are reasonably used for personal purposes—whether found in the workplace or the home—contain information that is meaningful, intimate and touching on the user’s biographical core.” The author of the ruling, Justice Morris Fish, added, “Canadians may therefore reasonably expect privacy in the information contained on these computers, at least where personal use is permitted or reasonably expected.”

ONLINE PRIVACY

Microsoft Alters Its Privacy Rules (October 22, 2012)

The New York Times reports on a new policy implemented by Microsoft allowing it “broad leeway” over how it collects and processes information from consumers using its free, web-based services. Unlike Google’s policy changes earlier this year, “Almost no one noticed” Microsoft’s change, the report states, adding, “The difference in the two events illustrates the confusion surrounding Internet consumer privacy.” Consumer Watchdog’s John Simpson said, “What Microsoft is doing is no different from what Google did,” adding, “It allows the combination of data across services in ways a user wouldn’t reasonably expect.” A Microsoft spokesman said, “one thing we don’t do is use the content of our customers’ private communications and documents to create targeted advertising.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—COLOMBIA

Data Protection Law Becomes Effective (October 22, 2012)

Colombia has enacted an omnibus data protection law, reports the Hunton & Williams Privacy and Information Security Law Blog. The law was enacted on October 17. It contains “significant notice and consent requirements, special provisions for the processing of children’s data, European-style data subject rights…and cross-border data transfer restrictions,” among other provisions. The law also calls for the establishment of a data protection authority.
Full Story

BIOMETRICS—U.S.

FTC Releases Facial Recognition Best Practices (October 22, 2012)

The Federal Trade Commission has released recommendations for companies using facial recognition technology. “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies” recommends that companies design their services with consumer privacy as a consideration; develop reasonable security practices; assess the sensitivity of the information that is collected, and make sure consumers are aware when a facial recognition technology is being used. “Fortunately, the commercial use of facial recognition technologies is still young,” the staff report states. “This creates a unique opportunity to ensure that, as this industry grows, it does so in a way that respects the privacy interests of consumers while preserving the beneficial uses the technology has to offer.”
Full Story

DATA PROTECTION—U.S.

Inspector General: Lack of Encryption Software Puts Vet Data at Risk (October 22, 2012)

Encryption software purchased for PCs and laptops at the U.S. Department of Veterans Affairs (VA) has been installed on only 16 percent of computers, according to the department’s inspector general. InformationWeek reports the software was purchased six years ago after a high-profile data breach involving the loss of information on 26 million veterans and costing $20 million to clean up. An anonymous tip that the software was not being implemented prompted the inspector general to investigate. The inspector’s subsequent report states that veterans’ data “remained at risk due to unencrypted computers.” The VA says it plans to complete installing the software by September 2013.
Full Story

PRIVACY LAW—U.S.

Company Settles Supercookies Lawsuit (October 22, 2012)

An analytics company has agreed to settle a class-action lawsuit over tracking practices, MediaPost reports. The settlement forbids KISSmetrics from using ETags and other supercookies for tracking purposes without first giving users “reasonable notice and choice” and requires it pay $2,500 each to the two consumers who sued as well as $500,000 in attorney costs. The suit alleged the company violated wiretapping laws by using ETag technology, which can be used to track users’ web movements even after they deleted traditional cookies.
Full Story

PRIVACY LAW—EU

Law Student’s Quest Against Facebook Continues (October 22, 2012)

Austrian law student Max Schrems has said Facebook and European regulators have not done enough to curb what he says are violations against European privacy laws, The Washington Post reports. Founder of “Europe v Facebook,” Schrems is looking to raise approximately 200,000 euros to keep his campaign moving forward. “At the core of the fight is one of the overarching questions of our time: Who has rights to the trillions of bits of data users create online every day?” the report states. Schrems said, “We’re right now defining what our world is going to look like in 20 years.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRIA & EU

EU Court Rules Austria DPA Needs More Independence from Gov’t (October 19, 2012)
The Court of Justice of the European Union (CJEU) has ruled that the Austrian government has not complied with EU law as it has not provided its data protection authority (DPA), the Datenschutzkommission, with “complete independence,” Out-Law.com reports. In order to attain “complete independence,” the CJEU ruled that DPA staff must not share offices with government officials; must not be required to provide the government with “unconditional” access to information about the DPA’s work, and an individual heading a DPA must not simultaneously hold other government positions. During a speech in Brussels, the European Data Protection Supervisor called the decision a “great day for data protection in Europe,” while also discussing the relationship between the proposed EU regulation and the e-Privacy Directive.

PRIVACY LAW—UKRAINE

Insurance Group Asks for Veto (October 19, 2012)

An insurance industry group has asked Ukraine’s president to veto a measure to amend the data protection law, KyivPost reports. The League of Insurance Organizations of Ukraine (LIOU) says the amendments “unreasonably extend the powers of the State Service of Ukraine on Personal Data Protection,” the report states. “We think the adoption of this law in such wording, despite numerous plus points, contains serious obstacles to entrepreneurship in Ukraine, creating a serious threat of the appearance of unreasonable additional financial and organizational expenses for businesses, as well as contradicting international standards regarding personal data protection, and the norms of the Ukrainian legislation,” the group stated in its letter.
Full Story

PRIVACY LAW—INDIA

Gov’t Panel Issues Privacy Law Recommendations (October 19, 2012)

The Times of India reports on recommendations issued by a government-appointed panel tasked with identifying privacy issues and preparing a report to facilitate the proposed Privacy Act. Led by former Delhi High Court Chief Justice A P Shah, the group laid out guidelines on telephone tapping and other forms of communications surveillance as well as recommendations to set up national and regional privacy regulators. The group identified differences between existing laws that allow government surveillance, stating, “these differences have created an unclear regulatory regime that is inconsistent, non-transparent and prone to misuse and does not provide remedy or compensation to aggrieved individuals.”
Full Story

SURVEILLANCE—U.S.

Maryland Buses Record Audio (October 19, 2012)

The Maryland Transit Administration (MTA) has installed audio-recording devices on 10 Baltimore buses, reports The Washington Post. While the plan was approved by the state’s attorney general, an American Civil Liberties Union lawyer said he was “flabbergasted” by the implementation, after the acting transportation secretary and the General Assembly denied a 2009 proposal to record audio. The MTA says it wants passengers to feel safe, and “audio completes the information package for investigators and responders.” State Sen. Jamie Raskin (D-Montgomery) said bus patrons should have been consulted, and a clear policy should have been developed, the report states. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY—U.S.

EFF, ACLU Take On Data Collection Practices (October 19, 2012)

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) are challenging the data-collection activities of Verizon Wireless, reports PC World. The advocacy groups say Verizon violates the federal Wiretap Act when it collects data on customers’ app usage, locations and web browsing and sells it to advertisers. Verizon says its actions are legal because it notifies customers of its practices and allows them to opt out, and the data cannot be tied to an accountholder. The groups claim, however, that the act of collection is the violation. “What you do after the fact is certainly important, but the violation of the Wiretap Act has already occurred,” said EFF lawyer Hanni Fakhoury.
Full Story

ONLINE PRIVACY

Google CEO Defends Privacy Policy (October 18, 2012)
Larry Page, Google’s chief executive, has defended the company’s privacy policy amidst calls from European data protection authorities to clarify its 10-month-old privacy policy, The New York Times reports. “Virtually everything we want to do, I think, is somewhat at odds with locking down all of your information for uses you haven’t contemplated yet,” said Page, adding, “That’s something I worry about.” Page also said that recent Google products, such as Google Now, would not be possible without its new privacy policy. According to the Electronic Frontier Foundation, the letter from the EU regulators challenges Google to publicly commit to limiting the scope of the collection and potential uses of the data. (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Rep. Barton: “We Need Stronger Privacy Laws” (October 18, 2012)

In a blog post for The Hill, Rep. Joe Barton (R-TX) calls for tougher online privacy legislation. “If our forefathers knew what the Internet and modern technology would be like today,” Barton writes, “they would have put a right to privacy explicitly in the Constitution.” Barton contends that parts of the online industry are listening, “while others remain tone-deaf,” particularly in relation to Do Not Track. Barton writes that some are “putting profits over privacy” and describes the Do Not Track Kids Act as “common-sense legislation.” Meanwhile, the Center for Digital Democracy and Commonsense Media have launched an online petition aimed at persuading the Federal Trade Commission to “stay the course” on proposed changes to COPPA.
Full Story

DATA LOSS—U.S.

University of Georgia Notifies 8,500 (October 18, 2012)

The University of Georgia (UGA) is notifying 8,500 current and former employees that their personal information may have been exposed, SCMagazine reports. According to UGA Vice President for Information Technology Timothy Chester, “This appears to be a planned intrusion by someone who knew enough about our operations to know which accounts to attack and where the sensitive information was located within the system.” The intruder reset the passwords of two IT department personnel to gain access to the data. “It is clearly a criminal act of computer trespass, and we are working with UGA Police to investigate,” Chester told employees in an e-mail.
Full Story

DATA PROTECTION—EU & INDIA

India Asks EU To Declare it as “Data Secure” Country (October 18, 2012)

The government of India has asked the EU to declare the country as “data secure,” The Times of India reports. Without a data secure declaration from the EU, sensitive data such as medical information cannot legally flow between the regions. India Commerce and Industry Minister Anand Sharma said, “It is our clear analysis that our existing law does meet the required EU standards. We would urge that this issue is sorted out quickly, and necessary comfort in declaring India data secure in overall sense needs to be given as almost all the major Fortune-500 companies have trusted India with their critical data.” The EU is studying whether India’s laws meet the EU’s directive.
Full Story

PERSONAL PRIVACY—U.S.

$665,000 or More Expected in Settlement of MN Case (October 18, 2012)

A former police officer may receive more than $665,000 in the settlement of a case where other law enforcement officers illegally accessed her driver's license information, KSTP-5 Eyewitness News reports. Her suit alleges 144 law enforcement officers "accessed, used or disclosed her private information approximately 554 times" between 2005 and 2012 "without any legitimate business reason to do so" and names the cities of St. Paul and Minneapolis, MN, among others. A $385,000 settlement is proposed with St. Paul, MN, and a $280,000 settlement was reached during an October 1 court-ordered mediation with the 16 other area cities. A settlement conference with the city of Minneapolis is scheduled for October 25.
Full Story

PRIVACY

Carnegie Mellon To Offer Masters in Privacy (October 18, 2012)

Carnegie Mellon University has created a masters degree program in privacy. The Pittsburgh Post-Gazette reports that the one-year program will start in the 2013-14 academic year and aims to help prepare students for the increasing marketplace demand for privacy-savvy computer scientists and engineers. The program will include classroom instruction and a summer work experience project. CMU Professors Lorrie Cranor and Norman Sadeh created the program.
Full Story

BIOMETRICS

The Emergence of Emotion-Sensing Technologies (October 17, 2012)
The New York Times reports on efforts to improve facial recognition technologies capable of sensing human emotions such as anger, sadness and frustration. Affective computing is currently being developed to assess a wide range of applications from reading student interest in the classroom to helping those on the autism spectrum understand the emotions of others. Emotionally aware devices, however, give “many people the creeps,” the report states. Oxford University Future of Humanity Institute Director Nick Bostrom said, “We want to have some control over how we display ourselves to others,” adding, “it’s not obvious the world would be a better place” with such technology. (Registration may be required to access this story.)

PRIVACY LAW—EU & U.S.

FTC Declines To Comment on EU’s Call for Privacy Policy Changes (October 17, 2012)

Following French DPA (CNIL) President Isabelle Falque-Pierrotin’s announcement Tuesday on calls for Google to revise its privacy policy, The Washington Post reports that the U.S. has “declined to join European criticism.” Falque-Pierrotin had asked the FTC’S David Vladeck to support a letter that Dutch DPA Chairman Jacob Kohnstamm previously confirmed was endorsed by 27 EU member states, Canada and some countries in Asia. Vladeck declined, and the FTC has not commented on whether it is investigating privacy issues raised in the letter, the report states. “We would have been happy if they would have signed it,” Falque-Pierrotin said, adding, “I think they will study it and have their own conclusions.” (Registration may be required to access this story.) Editor's Note: Jacob Kohnstamm will deliver a keynote address while Isabelle Falque-Pierrotin will participate in a breakout session on the new European privacy regulation at the upcoming IAPP Data Protection Congress in Brussels, Belgium in November.
Full Story

DATA RETENTION—UK

Graham: “Important Data Protection Principles at Stake” (October 17, 2012)

Information Commissioner Christopher Graham told a committee of MPs recently that the draft Communications Bill, currently in front of Parliament, may miss its intended mark and instead uncover “incompetent and accidental anarchists” rather than the “really scary people,” reports BBC News. The bill would see Internet service providers (ISPs) required to store communications data for at least one year, but Graham says it may only apply to the six largest companies, adding, there are “important data protection principles at stake. There is a judgment to be made between the security community saying 'we have to have this stuff' and the civil liberties community, which says this is a gross intrusion of privacy and of citizens' rights."
Full Story

ONLINE PRIVACY—U.S.

FTC’s Ohlhausen Skeptical of New Privacy Legislation (October 17, 2012)

The Federal Trade Commission’s (FTC) Maureen Ohlhausen has voiced concerns that calls for new privacy legislation could undermine the FTC’s other task of promoting competition, National Journal reports. Ohlhausen said, “Before seeking new privacy legislation, I think it is important to identify a gap in statutory authority or to identify a case of substantial consumer harm that we would like to address but can’t within our existing authority.” Ohlhausen noted the many benefits of information sharing for consumers, adding, “that’s why I am concerned about treating privacy solely as a consumer protection issue. It also must be viewed through the competition lens if you want to reach the best outcome for consumers.”
Full Story

PRIVACY LAW—AUSTRALIA

Mandatory Notification Back on the Table (October 17, 2012)

Australian Attorney General Nicola Roxon has published a discussion paper on whether the country needs a mandatory breach notification law that includes a poll for the public to weigh in on the issue. The Australian Financial Review reports that Privacy Commissioner Timothy Pilgrim renewed his calls for a law after a decrease in notifications in the last financial year. Pilgrim said “there is a strong case to have mandatory data breach notification laws in Australia” but cautioned against notification for minor breaches due to administrative burdens, notification fatigue and lack of utility, the report states. The attorney general is accepting comment until November 23.
Full Story

BIG DATA

Transaction Data-Sharing Rising; Consumers Want Control Over PI, Says Survey (October 17, 2012)

Financial Times reports that MasterCard is currently reviewing transaction data to help marketers improve targeted advertising. MasterCard Senior Vice President of Media Solutions Susan Grossman said, “The foundation of all our solutions is transaction data.” A company spokesman said MasterCard is “committed to protecting individual privacy” and that shared data is anonymous and aggregated. Wired reports on potential business ventures for Amazon. A representative from a digital ad agency said, “With rich data on its users, Amazon is uniquely positioned to match advertisers with shoppers.” Meanwhile, a TrustedID survey has revealed that less than 20 percent of consumers have a good understanding of “data brokers.” (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

PCI Council Says Payment Regulation Is Challenging (October 17, 2012)

PCI Security Standards Council European Director Jeremy King has said the council was “surprised at how fast new technologies were coming along” in the mobile payment landscape, SC Magazine reports. King added, “Mobile technology is still new, and there is still no knowledge of how to do mobile security.” Analyst Alan Goode said challenges not only reside on the security side but in the authentication and data protection spheres as well. “It is difficult to regulate and ensure data is protected,” he said, adding, “With mobile you can do it right, providing that the data is protected and assured.”
Full Story

ONLINE PRIVACY

Opinion: Privacy Has Become a Currency for Some, Luxury for Others (October 17, 2012)

Using free online services is an agreed-upon exchange; people give personal details and get a service, “It’s nothing new. We’ve been selling our privacy for a while now,” write Chris Taylor and Ron Webb for the Harvard Business Review. The tipping point on the scales when “the intrusions on privacy outweigh the benefits” may be “the advent of Big Data,” the authors state, offering tips on how to evaluate the privacy tradeoff. Meanwhile, a TechCrunch op-ed opines that as cheaper technology becomes available in poorer nations, government intrusions will likely increase. “It can’t be long before privacy becomes, like clean water or reliable power, something that only the rich can afford,” Jon Evans writes.
Full Story

ONLINE PRIVACY

Regulators Call for Changes to Google’s Privacy Policy (October 16, 2012)
The New York Times reports on today’s press conference hosted by the French data protection authority, the CNIL, where regulators called upon Google to clarify its 10-month-old privacy policy or face potential sanctions. In a letter to Google, the regulators noted the revised privacy policy “did not appear to adhere to Europe’s approach to data collection, which requires explicit prior consent by individuals and that the data collected be kept at a minimum,” the report states. CNIL Chairwoman Isabelle Falque-Pierrotin said the agency will give Google three or four months to respond to the concerns. In a statement provided to the Daily Dashboard, Google Global Privacy Counsel Peter Fleischer said, “We have received the report and are reviewing it now. Our new privacy policy demonstrates our longstanding commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.” Dutch DPA Chairman Jacob Kohnstamm told The New York Times that privacy regulators from the 27 EU member states, Canada and some countries in Asia participated in the CNIL inquiry and “endorsed the request to Google, which outlines areas for changes to improve protection of personal data.” (Registration may be required to access this story.)

PRIVACY LAW—SINGAPORE

Parliament Passes Personal Data Protection Bill (October 16, 2012)

The Singapore Parliament has passed a personal data protection bill aimed at protecting information in the private sector, ZDNet reports. The bill includes a Do-Not-Call registry and the creation of a new enforcement agency—the Personal Data Protection Commission (PDPC)—to regulate private-sector use of personal data. Slated to become official in January, the act will require individuals be informed of and provide consent to the processing of their data by private organizations, and individuals may seek compensation through private rights of action, the report states. The PDPC may fine noncompliant organizations up to S$1 million.
Full Story

BIG DATA—U.S.

DMA Launches “Data-Driven Marketing” PR Campaign (October 16, 2012)

The Direct Marketing Association (DMA) has launched a $1 million public relations campaign aimed at improving the image and curbing government “regulation of the consumer data-mining industry,” The New York Times reports. Titled the “Data-Driven Marketing Institute,” the campaign intends to prevent “needless regulation or enforcement that could severely hamper consumer marketing and stifle innovation” while “tamping down unfavorable media attention.” Acting DMA Chief Executive Linda A. Woolley said, “We want to set the record straight on what we think has been a lot of mischaracterization of what we do and to explain the benefits of data-driven marketing to consumers.” (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY—U.S.

Wireless Carrier’s Initiative Raises Privacy Concerns (October 16, 2012)

A marketing initiative by Verizon Wireless has raised concerns among privacy advocates, CNET News reports. The company’s Precision Market Insights plan aggregates customers’ locations, app usage and browsing activities and sells the data, a move that some say could violate a federal wiretap law. Verizon says it may link consumer data to third-party databases containing information about customers’ gender and ages as well as details such as “sports enthusiast, frequent diner or pet owner,” the report states. The company says the initiative is legal because the data is aggregated, does not reveal customers’ identities and provides an opt-out. Meanwhile, a Huffington Post report provides three ways to limit third-party access to iPhone user activity.
Full Story

DATA LOSS—UK

ICO Fines Police 120,000 Pounds (October 16, 2012)

Greater Manchester Police has paid a fine of 120,000 pounds after a breach involving the theft of a memory stick containing sensitive information, Publicservice.co.uk reports. The stick was not password-protected and was stolen from an officer’s home. It contained details on more than 1,000 individuals connected to crime investigations. The Information Commissioner’s Office (ICO) found that Greater Manchester Police regularly used unencrypted memory sticks to transport data, the report states. The police experienced a similar breach in 2010 and has since then failed to implement the proper safeguards and data protection training, the ICO found.
Full Story

ONLINE PRIVACY—CANADA & GERMANY

Authorities To Cooperate on Cross-Border Digital Privacy (October 16, 2012)

IDG News Service reports that German and Canadian data protection authorities have signed an agreement on protecting privacy in cross-border data transfers via the web. The countries will cooperate on specific cases and inform each other on privacy complaints. “Since personal data can be transferred to other countries and parts of the world with one mouse click, data protection agencies have to cooperate better internationally,” Canada’s Office of the Privacy Commissioner noted. Germany and Canada plan to discuss extending the plan to additional countries at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay later this month, the report states.
Full Story

PRIVACY LAW

Opinion: Privacy Law in “Midlife Crisis” (October 16, 2012)

“Privacy law is suffering from a midlife crisis,” writes Omer Tene in Concurring Opinions. Policymakers are working toward the second generation of privacy law due to “the challenges posed to the existing privacy framework” by increases in Big Data analytics, the movement of personal data to the cloud, the rise in popularity of social networks and individuals’ dissemination of their own personal data. But current approaches fail to adequately address the limitations of existing privacy law, Tene writes. “The major dilemmas and policy choices of informational privacy remain unresolved,” he writes.
Full Story

PRIVACY—U.S.

Campaigns Relying on Data Mining To Push Voter Turnout (October 15, 2012)
A front-page article in The New York Times' Sunday edition describes how both sides of this year’s presidential campaign are using data mining to glean intimate details of voters’ lives and use them to prompt a vote for their respective candidate. The Democratic and Republican National Committees have spent a combined total of at least $13 million this year on data acquisition—including details such as what kind of beer voters drink, if they tend to enjoy frequent vacations or whether they watch college football—in order to contact voters with targeted calls. Experiments indicate such tactics tend to increase voter turnout, the report states. (Registration may be required to access this story.)

PRIVACY LAW—FRANCE & EU

CNIL To Report on Google’s Privacy Policy (October 15, 2012)

The French data protection authority (CNIL) is scheduled to publicly share its report on whether Google’s changes to its privacy policy violate data protection rules at a press conference on Tuesday. The CNIL is expected to ask Google “to unravel” the changes, The Guardian reports. Businessweek quotes one expert’s assessment that, “While CNIL’s views will be persuasive, other data protection regulators in other EU countries could take a different line and levy their own sanctions.” A Google spokesman has said, “We are confident that our privacy notices respect the requirements of European data protection laws.”
Full Story

ONLINE PRIVACY—U.S.

Advertisers Campaign Against Do Not Track (October 15, 2012)

The New York Times reports on the campaign against Do Not Track. Nine U.S. lawmakers recently wrote to the Federal Trade Commission (FTC) voicing concern over restricting the flow of data “at the heart of the Internet’s success.” The Association of National Advertisers and the Interactive Advertising Bureau have both voiced opposition to Microsoft’s default Do-Not-Track mechanism. The Digital Advertising Alliance has said self-regulation is working and should be given a chance to succeed. FTC Chairman Jon Leibowitz said the disagreement on standards could lead to a privacy arms race with browsers rushing to give consumers the most privacy protections, which may not be a bad thing, he added. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

ICO: Private Sector Ahead on Compliance (October 15, 2012)

COMPUTERWORLD reports on audits by the Information Commissioner’s Office (ICO) indicating the private sector is “leading the way" while data protection compliance "concerns remain" for the public sector. "The private-sector organizations we have audited so far should be commended for their positive approach to looking after people's data,” said the ICO’s Louise Byers, adding, “However, this does not mean that businesses in the UK should rest on their laurels.” She also noted that, generally, the public-sector entities audited had appropriate information governance and training practices in place but need to do more in terms of data security, the report states.
Full Story

MOBILE PRIVACY—U.S.

AG Tweets to United Airlines: Where’s Your Privacy Policy? (October 15, 2012)

California Attorney General Kamala Harris used social media on Friday to commend United Airlines for its “fabulous” mobile app, but then asked via Twitter, “where is your app’s #privacy policy?” Los Angeles Times reports that Harris also linked to the California Online Privacy Protection Act, which requires commercial websites that collect Californians’ personally identifiable information to post a privacy policy. "We have to both cheer the incredible advances in technology and at the same time protect consumer privacy,” said a spokesman for Harris. United Airlines responded saying it would review the app to “ensure that our privacy policy is also easily accessible to United app users."
Full Story

PERSONAL PRIVACY—HONG KONG

App Allows for Criminal Records Searches (October 15, 2012)

Time Out reports on a mobile app that allows users to search for individuals’ and companies’ criminal histories. Do No Evil costs $1 per search and scans more than two million litigation records by name and address. The report quotes a man who said the app violated his privacy, preventing him from gaining employment based on his past. The Office of the Privacy Commissioner for Personal Data has received inquiries on the app, a spokesman said, but hasn’t received official complaints.
Full Story

DATA LOSS—NEW ZEALAND & U.S.

Breaches at Bank, Ministry Put Consumer Data at Risk (October 15, 2012)

New Zealand Assistant Privacy Commissioner Katrine Evans said in a statement that her office is “very concerned” about a gap in security at the Ministry of Social Development’s Work and Income data kiosks that allowed unauthorized access to personal and confidential data. iTnews reports Blogger Keith Ng revealed the lapse after receiving a tip, the source of which claims to have alerted the ministry to it in the week prior, seeking financial reward. Cabinet Minister for Social Development and Employment Paula Bennett called the breach “completely and utterly unacceptable” and apologized. Meanwhile, TD Bank is notifying about 260,000 customers in the U.S. that their data may have been exposed when backup data tapes went missing in March.
Full Story

PRIVACY

2012 IAPP Privacy Award Winners Announced (October 12, 2012)

At the IAPP Privacy Academy’s Privacy Dinner on Thursday evening, some of the best of the best among privacy innovators and experts were honored for their work in the field. In addition to a keynote speech by John Perry Barlow, the 2012 Privacy Dinner featured the announcement of this year’s HP-IAPP Innovator Awards and the Privacy Vanguard Award. Sandra R. Hughes, CIPP/US, is the winner of the 2012 IAPP Privacy Vanguard Award, and for the 2012 HP-IAPP Innovation Award, this year’s winners in the large and small organization and technology categories are the Vodafone Privacy Programme, Alberta Pensions Services, CSR and Oculis Labs. In announcing Hughes’ selection as this year’s Privacy Vanguard at the Privacy Dinner in San Jose, CA, McAfee CPO Michelle Dennedy, CIPP/US, described Hughes’ contributions to the privacy field. Accepting the Vanguard Award, Hughes spoke of her desire to continue to “do the right thing” by giving back to the privacy profession.
Full Story

ONLINE PRIVACY

Groups Warn the FCC on Data Collection, Sharing Practices (October 12, 2012)
Broadcasting & Cable reports that a coalition of groups has cautioned the Federal Communications Commission (FCC) to be careful of how it collects and shares consumer information online in its effort to learn about Americans’ access to broadband services. The Competitive Enterprise Institute, Communications Liberty and Innovation Project, TechFeedom, Center for Media and Democracy and six other groups say they are concerned about consumers sharing information with the commission that could be shared with law enforcement and allow their Internet activity to be reviewed “without due process or judicial scrutiny,” the report states.

GEO PRIVACY—U.S.

GAO Pushes for Work on Location Data Privacy (October 12, 2012)

A report by the Government Accountability Office (GAO) calls attention to the vague treatment of location data in many corporate privacy policies. “Companies were collecting consumers' location data, but did not clearly state how the companies were using these data or what third parties they may share them with,” The GAO report states. National Journal reports that while the GAO pushes for federal action, just two specific recommendations are made, including that the FTC outline its views on mobile location-data privacy and that the Commerce Department set concrete goals for its work with consumer advocates and industry to develop voluntary standards. Some politicians are using the report as evidence for legislation in this area.
Full Story

PRIVACY LAW—U.S.

Google Asks for Dismissal of Suit (October 12, 2012)

In its motion to dismiss a class-action lawsuit, Google has said the class is contorting state law “in ways the California legislature never intended,” Courthouse News Service reports. The suit alleges Gmail scans e-mails for content and intercepts messages between Gmail and non-Gmail users. It accuses Google of violating the California Invasion of Privacy Act. Asking U.S. District Judge Lucy Koh to dismiss the case, Google says its “fully automated processes involve no human review of any kind” and added that the plaintiffs fail to articulate harm and instead “rely on conclusory allegations that their privacy rights were infringed in the abstract.”
Full Story

PRIVACY LAW—U.S.

Court: Stored Communications Act “Ill-fitted” to Modern Issues (October 12, 2012)

The South Carolina Supreme Court ruled that accessing e-mails in a cheating husband’s inbox did not violate the Stored Communications Act, but the judges all agreed that the act, now 26 years old, “is ill-fitted to address many modern day issues.” The Augusta Chronicle reports the e-mails were accessed by the wife’s daughter-in-law who was able to guess the man’s security question. The e-mails were then printed and shared with the wife’s divorce attorney and a private investigator. “The Stored Communication Act makes a hazy distinction between obtaining e-mails that have not been read or messages that have been read and stored elsewhere versus e-mails that have been read and remain in an inbox,” the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

ONC Seeking Comment on Online Verification (October 12, 2012)

The Office of the National Coordinator for Health IT (ONC) is seeking public opinion on how individuals’ identities should be verified when accessing online health records, reports Government Health IT. The ONC will share the comments with the federal advisory Health IT Policy and Standards Committees October 29 during an online hearing on credentialing patients so they may use online tools. “We want to make sure we facilitate electronic data access and e-mail in a way that protects the privacy, confidentiality and security of that information,” said Deven McGraw, chair of the ONC Privacy and Security Tiger Team.
Full Story

HEALTHCARE PRIVACY—U.S.

Hospital Fires Employees for Accessing Patient’s Files (October 12, 2012)

A “small number” of hospital employees have been fired from Ohio’s Akron General Medical Center for violating hospital and federal privacy rules, Ohio.com reports. John H. Wise is accused of shooting and killing his wife at the hospital where she was a patient in the intensive-care unit. A hospital spokesman says the employees were terminated for inappropriately accessing the woman’s patient records. “It doesn’t happen a lot, fortunately, because employees know, but you can’t let the curiosity get the better of you,” the spokesman said. “That’s human nature and we understand that, but it still doesn’t justify the fact that the policies were violated.”
Full Story

CONSUMER PRIVACY—U.S.

Companies Settle with FTC for List Sharing (October 11, 2012)
One of the largest U.S. consumer reporting agencies has agreed to settle with the Federal Trade Commission (FTC) over charges it “improperly sold lists of consumers who were late on their mortgage payments,” in violation of the FTC Act and the Fair Credit Reporting Act. Equifax Information Services, LLC, will pay $393,000 over allegations that its “inadequate procedures” led to the sale of more than 17,000 lists to firms that “should not have received them.” Direct Lending Source, which bought the lists and resold some of them to third parties, will pay $1.2 million.

ONLINE PRIVACY

Officials, DAA and Microsoft Battle Over DNT (October 11, 2012)

The Digital Advertising Alliance (DAA) has responded to Microsoft’s new default-on do-not-track (DNT) browser, saying it is not an appropriate standard for customers, reports The Next Web. But Sens. Joe Barton (R-TX) and Edward Markey (D-MA) say the DAA is putting “profits over privacy.” Microsoft is holding its ground, citing a study of its customers that showed 75 percent want the company to turn DNT on for them. Meanwhile, EU Digital Agenda Commissioner Neelie Kroes is voicing her concern about the delay and the “turn taken” in the discussions at the World Wide Web Consortium, which missed a June deadline to come up with a better system for DNT.
Full Story

PRIVACY LAW—EU

MEPs Release Data Protection Recommendations (October 11, 2012)

MEP Jan Philipp Albrecht, rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, has released “Working Document 2” on the General Data Protection Regulation draft. Albrecht recommends clarifying the definitions of “personal data” and “data subject” and says consent should “remain a cornerstone of the EU approach to data protection.” Meanwhile, Vice President of the European Parliament Alexander Alvaro has released “Lifecycle Data Protection Management,” in which he emphasizes the need to modernize data protection legislation in a way “that allows consumers to continue having trust in technological advances as well as in their own ability to determine how their personal data is processed.”
Full Story

PERSONAL PRIVACY—U.S.

Bioethics Committee Releases Report on Genome Sequencing (October 11, 2012)

The Presidential Commission for the Study of Bioethical Issues has released a report on the privacy concerns of whole genome sequencing, a process in which it’s possible to determine a person’s complete DNA makeup using DNA samples taken from everyday items like cigarette butts, dental floss, gum or used tissues. Reuters reports the commission’s chairwoman noted the “enormous promise” of sequencing for human health and medicine but added there is a “potential for misuse of this very personal data.” Genome sequencing is set to become part of mainstream medical care, the report states. The report recommends privacy protections including that no sequencing should be performed without a person’s consent.
Full Story

ONLINE PRIVACY—EU & U.S.

U.S. Officials Head to Europe To Talk Privacy (October 11, 2012)

Officials from the U.S. Department of Commerce (DoC), Federal Trade Commission (FTC) and Chamber of Commerce recently traveled to Europe to discuss privacy issues. DoC General Counsel Cameron Kerry met with Irish Data Protection Commissioner Billy Hawkes and Department of Justice officials this week to discuss cross-border data flows. The FTC’s Director of the Bureau of Consumer Protection, David Vladek, was in Brussels supporting efforts by the Internet Cooperation for Assigned Names and Numbers to store more data on website operators and retain it for two years. And TechWeekEurope reports that Adam Schlosser of the U.S. Chamber of Commerce, also in Brussels, lobbied for changes to the proposed EU Data Protection Directive, while Department of Justice officials voiced their concerns.
Full Story

DATA PROTECTION—HONG KONG

PCPD Reports Violations in Loyalty-Card Programs (October 11, 2012)

Privacy Commissioner for Personal Data Allan Chiang has released investigation reports saying three companies violated customers’ privacy by collecting their Hong Kong Identity Card or passport numbers for a loyalty program, reports The Standard. The numbers were collected in order to create default passwords for the programs’ online services and, according to Chiang’s report, the practice amounts to unnecessary and excessive collection. Citing increased public awareness due to the “Octopus incident,” Chiang said, “I expect that corporations in Hong Kong should have learnt a lesson and paid more attention to data privacy regulations.”
Full Story

DATA LOSS—U.S.

Data Losses Prompt Investigations, Reassurances (October 11, 2012)

CNN reports an investigation is underway at Northwest Florida State College involving more than 200,000 students and 3,000 employees. Fifty employees, including the school’s president, have reported issues with identity theft. MPBN reports Maine’s Attorney General is looking into an incident involving misplaced consumer data at TD Bank after a box of back-up computer data went missing in March. Meanwhile, strategy game developer Wargaming.net says a recent security breach at digital goods reseller PlaySpan “affects only a select group” of Wargaming’s “World of Tanks” players, and no financial data was compromised.
Full Story

PRIVACY LAW—PHILIPPINES

Court Suspends Cybersecurity Law (October 10, 2012)
The Supreme Court of the Philippines has suspended the Cybercrime Prevention Act of 2012, reports The New York Times. The government will respond to 15 petitions filed in opposition to the law, which critics have said could lead to imprisonment for sharing social media posts, the report states. The law “establishes penalties for various computer-related crimes, including child pornography, identity theft, online fraud and illegally accessing computer networks.” One senator called the law’s temporary suspension “the first victory in our battle to defend our freedom and right of expression.” (Registration may be required to access this story.)

ONLINE PRIVACY—U.S.

Rockfeller Seeks Answers from Data Brokers (October 10, 2012)

The chairman of the Senate Commerce Committee has asked for detailed information from online data brokers on how they compile and sell consumer information, Broadcasting & Cable reports. Sen. Jay Rockefeller (D-WV) sent letters to data brokers including Reed-Elsevier, Spokeo and Experian seeking answers on data collection—including its granularity, who has access to it and for what purposes. “Collecting, storing and selling information about Americans raises all types of questions that require careful scrutiny,” Rockefeller said, adding that consumers “deserve to know what’s being collected about them and how companies profit from their information.”
Full Story

SOCIAL NETWORKING—U.S.

Finance Concerned New Laws Conflict with FINRA Regs (October 10, 2012)

New laws passed in some states and proposed in others prohibiting employers from requiring social media passwords from employees and applicants have the financial industry questioning whether they conflict with the communications monitoring required by the Financial Industry Regulatory Authority (FINRA), reports Compliance Week. Many employees use one account for both personal and business uses, and under FINRA regulations, personal accounts used for business are to be treated as business accounts. One expert says such concerns about the California law may be an overreaction, however, as the law allows access to employees’ social media accounts for investigations of misconduct and violations of laws and regulations.
Full Story

PRIVACY LAW—U.S.

SCOTUS Ends Case Against Telecoms (October 10, 2012)

The U.S. Supreme Court has ended a class-action lawsuit filed six years ago against U.S. telecommunications companies for assisting the National Security Agency (NSA) in monitoring international phone calls and e-mails, reports the Los Angeles Times. The suit was “dealt a death blow in 2008 when Congress granted retroactive immunity” to the companies, the report states, and the court has turned down appeals from civil liberties groups without comment. A case is expected to come before the court later this month to decide whether NSA agents can be sued for authorizing the wiretapping, the report states.
Full Story

CHILDREN’S PRIVACY—U.S.

Auditor: Ohio Law Hampering School Tracking Efforts (October 10, 2012)

According to auditor Dave Yost, an Ohio law that makes students’ personal information off-limits to state agencies means keeping track of the 1.9 million students in the state is difficult and costly, reports the Associated Press. Yost told the state’s Board of Education the Statewide Student Identifier policy “doesn’t help anybody,” adding that moving the system in-house and lifting restrictions on student IDs could save the state an estimated $430,000 each year. "What we're really worried about here is kids' information not being out on the street, not being easily accessible…But we can do that by simply controlling the access and what the rules are for dissemination of that information," Yost said.
Full Story

CONSUMER PRIVACY

What To Do About Privacy Merchants? (October 10, 2012)

In an exclusive for The Privacy Advisor, George Washington University Prof. Amitai Etzioni discusses “privacy merchants,” companies whose main business it is to track Internet users and keep detailed accounts on them. While laws regulate access to certain data sets, such as medical and financial records, one can easily use “privacy violating triangulation” to piece together such information in a roundabout way, Etzioni writes. He adds that laws to ban such a practice, while seemingly unlikely due to anti-regulatory and pro-business climates in the U.S., would “serve as part of a system that would shore up privacy to a reasonable level in the future.”  (IAPP member login required for access.)
Full Story

ONLINE PRIVACY

Opinion: Should Do-Not-Track Get the Axe? (October 10, 2012)

Ed Bott writes for ZDNet about his view on the status of the do-not-track debate. “The advertising side wants the standard to be rendered meaningless, the tech guys throw up their hands and say they have lost any energy to go on with a ‘pathetic’ process. And privacy advocates are completely marginalized,” Bott writes. Outlining excerpts from the World Wide Web Consortium’s working group and releases from the Digital Advertising Alliance (DAA), Bott also highlights discussions about Microsoft’s “default on” do-not-track mechanism, which the company shows no signs of backing down on. Meanwhile, the DAA has issued a release allowing companies to reject it.
Full Story

PRIVACY

Should I Get More Involved? (October 10, 2012)

In this exclusive for The Privacy Advisor, Heather Egan Sussman, CIPP/US, discusses the ways volunteering has enhanced her professional experiences. Sussman is a partner in the law firm of McDermott Will & Emery LLP. She is co-chair of the firm’s Global Privacy and Data Protection Group. “Being on a board elevates participation to more of a national and international level rather than just focusing on a particular region,” Sussman says, adding that such involvement has connected her with “many of the top minds in privacy.”
Full Story

ONLINE PRIVACY

What Happens to Data After Death? (October 9, 2012)
IT World reports on what happens to an individual’s online data after death. There isn’t yet comprehensive legislation on how a deceased person’s data must be handled, and the draft of the revised European Data Protection Directive makes no mention of it, the report states. Instead, rules differ from one jurisdiction to the next. In Bulgaria, for example, data rights belong to the deceased’s heirs, while in Estonia, previously obtained consent to process personal data is deemed valid for 30 years after death, unless the data subject says otherwise during their living years.

DATA PROTECTION—EU & U.S.

Regulators To Examine Google Policy, EPIC Challenges FTC (October 9, 2012)

EU data protection commissioners will look at whether Google’s changes to its privacy policy earlier this year comply with EU privacy laws, The Guardian reports. The revision created a single policy for all Google services and resulted in the consolidation of data into a single location, the report states, drawing questions from regulators including the French data protection authority. Meanwhile, the Electronic Privacy and Information Center has released a statement alleging the U.S. Federal Trade Commission has “withheld from public disclosure” information about its recent audit of Google’s privacy program.
Full Story

CHILDREN’S PRIVACY—U.S.

Student RFID Tags Transmit Constant Signal (October 9, 2012)

While some companies fight revisions to the Children’s Online Privacy Protection Act and others continue to violate it, the tracking of students through RFID badges and surveillance cameras is increasing, reports AlterNet. As of October 1, a Texas school system outfitted students at two of its campuses with badges containing RFID chips that transmit a constant signal so students can be tracked throughout the day—unlike more commonly used RFID badges that only transmit data when scanned. Privacy and civil rights activists say the badges contravene the students’ right to free speech as they can monitor which kids spend time together.
Full Story

SOCIAL NETWORKING—U.S.

New “Sponsored Stories” Settlement Filed (October 9, 2012)

Facebook has filed another settlement in a lawsuit over its “Sponsored Stories” feature after a judge dismissed the company’s first attempt in August, reports CNET News. The settlement includes a one-time $10 payment to affected users and an “easily accessible mechanism” for users to see how their Facebook content is being used in Sponsored Stories. It also allows parents of users under the age of 18 to opt them out of the feature, or, if the parents are not Facebook users, the company will not use minors’ data until they turn 18, the report states.
Full Story

PRIVACY LAW—EU

Expert: Medical Data Not Adequately Protected in Draft Directive (October 9, 2012)

University of Cambridge Prof. Ross Anderson spoke at a recent privacy conference about a loophole in draft EU data protection regulations that he believes puts medical data at risk, reports CIO. The loophole exists in provisions allowing for secondary uses of medical data for historical and research purposes, Anderson says. "The fundamental problem is that everyone from insurers to drug companies wants access to masses of personal data," he says, and while the regulations call for the anonymization of data shared with researchers, "You can always find a set of queries that reveals the target." Anderson says he’s bringing attention to the weakness now in hopes of getting the sections amended.
Full Story

BEHAVIORAL TARGETING—U.S.

Study: Most Americans Don’t Want To Be Tracked (October 9, 2012)

A study by the Berkeley Center for Law and Technology found that most Americans don’t find online ads useful and do not want information to be collected about their online behavior, reports The New York Times. The study asked 1,230 Internet users what they’d like a do-not-track mechanism to do, and 60 percent chose the option, “prevent websites from collecting information about them.” Nearly 90 percent of respondents had never heard of the Federal Trade Commission’s proposal for a do-not-track mechanism—which the authors of the study refer to as “a modest intervention.” (Registration may be required to access this story.)
Full Story

PRIVACY

Research Hampered by Limited Access to Death Files (October 9, 2012)

The New York Times reports on the Social Security Administration’s (SSA) limit on access to death records and the resulting effects on research initiatives. The SSA decided last year that, under the law, state records on deaths are exempted from public disclosures. Researchers conducting studies on diseases such as cancer and cardiovascular treatments say they depended on access to that data, and their work has been slowed by the changes. A spokesman for the financial industry said such limited access makes it increasingly difficult to detect the theft of Social Security numbers from deceased individuals. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

Experts Discuss Company’s Demise, Importance of IT Oversight (October 9, 2012)

IDG News Service reports on the breach at broker-dealer GunnAllen, which resulted in the U.S. Securities and Exchange Commission’s first privacy fine for failing to protect customer data. In April 2011, two individuals were fined $20,000 and a third $15,000 for “aiding and abetting GunnAllen’s rule violations,” after a GunnAllen representative downloaded accountholder files to his personal thumb drive as the company prepared to liquidate. One privacy expert says weaknesses in the broker-dealer’s outsourced IT program, which would lead to numerous problems before the company’s eventual demise, demonstrates the importance of due diligence, contractual obligations, monitoring and audits when it comes to outsourced data security.
Full Story

BEHAVIORAL TARGETING

In Amsterdam, A Lack of Consensus on Do Not Track (October 5, 2012)
The New York Times reports on the World Wide Web Consortium’s (W3C) meetings in Amsterdam this week and the lack of consensus among stakeholders on how to bring a Do-Not-Track option to websites. The report states that “the stakes for Internet users are high and boil down to who determines the limits and protections of online privacy on the Internet…” The meeting continues today. While the W3C’s Thomas Roessler says he has “some measure of confidence we will come up with a workable solution,” the head of the European Commission’s Article 29 Working Party, Jacob Kohnstamm, an observer at the meeting, said, “It seems the process has been hijacked by commercial interests.” U.S. FTC Chairman Jon Leibowitz said, “There is enormous and bipartisan momentum for Do-Not-Track options for consumers if there is no agreement by the end of this year.”

HEALTHCARE PRIVACY—U.S.

Calls for Prescription Drug Info Raise Concerns (October 5, 2012)

In the wake of a “prescription drug epidemic that led to 113 overdose deaths,” administrators with Florida’s Sarasota County Sheriff's Office have been seeking additional information from doctors through “a form patients could sign that would waive their privacy rights and allow detectives to examine…records without getting permission from a judge,” the Herald-Tribune reports. Citing Health Insurance Portability and Accountability Act (HIPAA) concerns, among other factors, the report notes the move has “drawn sharp criticism” from some in the medical community. One lawyer suggests the forms violate patients’ privacy rights under HIPAA.
Full Story

PRIVACY LAW—U.S.

Judge Rules Privacy Claim Must Be Dropped From Lawsuit (October 5, 2012)

The Arkansas Supreme Court has ruled that a lawsuit filed by the mother of a slain TV anchor can proceed, but a privacy invasion claim must be dropped, the Associated Press reports. Filed against St. Vincent Infirmary Medical Center, the lawsuit claims “outrageous behavior” by three hospital employees who accessed the victim’s sensitive medical records without authorization. The justices ruled Thursday that the mother “can sue the hospital for outrageous behavior, because that claim is made on her own…behalf,” the report states, but upheld a lower court's decision that the “family cannot seek punitive damages for invasion of the slain woman's privacy.”
Full Story

ONLINE PRIVACY

New Privacy Tools Emerge (October 5, 2012)

The Association for Competitive Technology has introduced App Privacy Icons as part of its campaign to “provide developers with the resources to demonstrate easy-to-understand transparency about the privacy settings and features of their apps,” eWeek reports. The icons inform web users whether an app contains advertising, collects data or shares information with social networks, the report states. Meanwhile, a group of privacy activists have launched “Terms of Service; Didn’t Read” to help users make better choices online. “We are trying to fight the unfair situation in which big websites make us sign terms-of-service agreements that are too long to read and understand,” the project description states.
Full Story

ONLINE PRIVACY

Exploring the Privacy of Private Messages (October 5, 2012)

The Wall Street Journal reports on a recent online video allegedly showing that Facebook scans links sent via private messages and registers them as though the user “likes” the page sent. “It’s just one example of how online messages that seem private are often actually examined by computers for data,” the report states, adding, “it is not clear from Facebook’s data use policy that regular users would expect links in their messages to be scanned this way.” Facebook has responded that “absolutely no private information has been exposed,” and users’ privacy settings were not affected. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Do-Not-Track Standards Discussion Heats Up (October 4, 2012)
Senate Commerce Committee Chairman Jay Rockefeller (D-WV) has told Federal Trade Commission (FTC) Chairman Jon Liebowitz that “self regulation for the purposes of consumer privacy protection has failed,” but, Broadcasting & Cable reports, he encouraged the FTC to work with the World Wide Web Consortium to develop Do-Not-Track (DNT) standards. Rockefeller has also introduced DNT legislation. Liebowitz has said the industry “appears to be backing off from its commitments” to DNT. Meanwhile, the Center for Democracy & Technology wrote, “in recent days, we have suddenly seen an all-out blitz of attacks on Do Not Track, both in Washington and Silicon Valley.” COMPUTERWORLD reports that industry representatives have sent a letter to Microsoft’s top executives to call the company’s default DNT setting “unacceptable.”

DATA LOSS—U.S.

Hackers Post Personal Details from 53 Universities Worldwide (October 4, 2012)

The New York Times reports on a breach affecting thousands of personal records from 53 universities around the world. Hackers published records from schools including Harvard, Stanford, Cornell, Princeton, Johns Hopkins and the University of Zurich. Details included 36,000 e-mail addresses as well as names, usernames, passwords, addresses and phone numbers of students, faculty and staff, the report states. The hackers claiming responsibility call themselves Team GhostShell and cited “changing education laws in Europe and spikes in tuition fees in the United States” as their motives. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Pandora Privacy Lawsuit (October 4, 2012)

A federal judge has dismissed a multibillion-dollar lawsuit claiming that Internet radio company Pandora violated its users’ privacy, CNET News reports. The suit argued that a pre-Internet era Michigan law was violated when Pandora integrated with Facebook in 2010. Saying that no “actual injury” was demonstrated, U.S. District Judge Saundra Armstrong noted the 1988 state privacy law prohibits a class-action lawsuit “by a person who has not suffered actual loss,” adding, “Pandora argues that it merely streamed music to plaintiff’s computer and, therefore, could not have violated (state law) because it never rented, lent or sold recordings to him.”
Full Story

SURVEILLANCE—U.S.

Senate Report: Post 9/11 “Fusion Centers” Offended Civil Liberties (October 4, 2012)

A newly released Senate subcommittee report has found that centers established after September 11, 2001, to share counterterrorism data with local and federal law enforcement put Americans’ civil liberties at risk, NPR reports. Since 2003, more than 70 “fusion centers” were established, costing an estimated $289 million to $1.4 billion. But the centers “forwarded ‘intelligence’ of uneven quality—oftentimes shoddy, rarely timely, sometimes endangering citizens’ civil liberties and Privacy Act protection,” the subcommittee report states. The report recommends the Department of Homeland Security “revisit the statutory basis for DHS support of fusion centers,” conduct assessments on information-sharing and strengthen protections of civil liberties.
Full Story

BIG DATA—U.S.

Gov’t Report Calls for Big Data Career Track (October 4, 2012)

A new industry report calls on the government to create a formal career track for employees managing Big Data, Federal Times reports. The TechAmerica Foundation’s Big Data Commission is calling for “a new federal academy to train and certify employees to capture, store, share, manage and analyze vast volumes of data” and cites agencies currently using Big Data techniques, such as NASA and the Internal Revenue Service. “The biggest issue is making sure that you have and can get to the relevant information that you need to make better decisions, improve processes, reduce fraud, waste and abuse and have better predictive capabilities,” said one expert.
Full Story

SOCIAL NETWORKING

Analysis: Regulating Employee Use; Defining Defamation Liability (October 4, 2012)

Privacy experts Jan Dhont and Emily Hay analyze the regulation of social media use across continents in this exclusive for The Privacy Advisor. “In a world characterized by constant connection to online devices and the blurring of professional and private lives,” they write, “striking a balance that respects personal autonomy while protecting legitimate employer interests can be a delicate task.” Meanwhile, Mathew Schwartz explores liability concerns on social media. “Can service providers be held liable for what their users post, including what others may deem to be offensive communications?” Schwartz queries. (IAPP member login required for access.)
Full Story

CHILDREN’S PRIVACY—U.S.

Artist Arena Agrees to $1 Million Settlement with FTC for COPPA Violations (October 3, 2012)
Fan site operator Artist Arena has agreed to a $1 million settlement with the Federal Trade Commission (FTC) for allegedly violating COPPA, The Washington Post reports. The proposed settlement still awaits approval from a judge. An FTC investigation found that the company—which operates fan sites for Justin Bieber and other musicians—collected the names, e-mail addresses, birth dates and gender of children under the age of 13. FTC Chairman Jon Leibowitz said, “Marketers need to know that even a bad case of Bieber Fever doesn’t excuse their legal obligation to get parental consent before collecting personal information from children.” (Registration may be required to access this story.)

PRIVACY LAW—UK

ICO Set To Penalize Illegal Marketers (October 3, 2012)

The Information Commissioner’s Office (ICO) has announced it is set to issue two monetary penalties totaling more than £250,000 to illegal marketers for distributing millions of unsolicited spam texts. According to an ICO press release, the actions of the two individuals violate the Privacy and Electronic Communications Regulations (PECR). The ICO said the marketers have 28 days to respond and prove compliance with the PECR. ICO Director of Operations Simon Entwisle said, “we are already working to identify other individuals and companies involved in these unlawful practices.” Entwisle has also released a blog post on the agency’s work in this area.
Full Story

PRIVACY LAW—EU

EDPS: Common Standards Should Govern E-ID Schemes (October 3, 2012)

In a new opinion, the European Data Protection Supervisor (EDPS) has recommended that “trust service providers” and other electronic identification issuers should be required to meet a common set of data security standards under the proposed Electronic Trust Services Regulation, Out-Law.com reports. The EDPS said “the proposed regulation should establish a minimum set of requirements, in particular with respect to the circumstances, formats and procedures associated to security as well as the criteria, conditions and requirements, including the determination of what constitutes the state of the art in terms of security for electronic trust services.”
Full Story

SURVEILLANCE—UK

New Regulator Raises HD CCTV Concerns (October 3, 2012)

Newly appointed Surveillance Camera Commissioner Andrew Rennison says the unregulated installation of inexpensive, high-definition CCTV cameras in Britain could identify and track individuals, creating a Big Brother state and breaching human rights laws, The Telegraph reports. “The technology has overtaken our ability to regulate it,” Rennison said, adding the sophisticated cameras are “storing all the images they record” and have the ability to “run your image against a database of wanted people.” According to the report, Rennison is creating a CCTV code of conduct for Parliament.
Full Story

SOCIAL NETWORKING

Facebook Launches New Help Center, Faces Criticism for Targeted Ads (October 3, 2012)

Facebook has redesigned its help center and dashboard to help users understand privacy settings, The Washington Post reports. Launched Tuesday, the center aims to help users manage their privacy settings and read about changes to the site, the report states. Meanwhile, the French data protection authority has said Facebook users’ privacy was not breached last week following concerns that private messages were being posted on public profiles. The site continues to face criticism for allowing marketers to target ads to consumers based on their web browsing activities or the phone and e-mail addresses they’ve listed on their profiles. (Registration may be required to access this story.)
Full Story

CONSUMER PRIVACY

FTC, Others Work as Privacy Educators (October 3, 2012)

In an exclusive for The Privacy Advisor, Mathew Schwartz discusses who is responsible for educating consumers about privacy in the U.S. Privacy education won’t be effective “unless consumers feel passionate about their privacy,” Schwartz writes, which is complicated by consumers’ differing definitions of privacy itself. Education efforts include recent guidelines and resources published by the FTC, Privacy Rights Clearinghouse and the Electronic Frontier Foundation. In addition to privacy education, the FTC has recently ramped up its role as privacy enforcer, evidenced by its $22.5 million fine against Google and $800,000 fine against Spokeo, a settlement with Facebook and a complaint against Wyndham Hotels. (IAPP member login required for access.)
Full Story

BIG DATA

Opinion: Privacy Challenges Eased When Users Are In Control (October 3, 2012)

In a blog post for Harvard Business Review, Alex “Sandy” Pentland discusses the privacy implications of Big Data. “Just as businesses are beginning to see the power of Big Data, consumers are beginning to ask about their right to prevent the collection and use of every bit of data they leave behind,” Pentland writes. Sessions at the World Economic Forum on the topic have resulted in the FTC’s “U.S. Consumer Data Privacy Bill of Rights” and a declaration by the EU justice commissioner on data ownership as a basic human right. Pentland says this “New Deal on Data” puts the individual “much more in charge” and makes Big Data safer and more transparent.
Full Story

PERSONAL PRIVACY—U.S.

License-Plate Tracking Tech Becoming Ubiquitous (October 2, 2012)
The Wall Street Journal reports on the rise of license-plate tracking technology, noting it “is a case study in how storing and studying people’s everyday activities, even the seemingly mundane, has become the default rather than the exception.” The Department of Homeland Security (DHS) has awarded more than $50 million in federal grants to law enforcement agencies during the past five years for the technology, and at least two private businesses using the technology have been identified, the report states. Former DHS Chief Privacy Officer Mary Ellen Callahan, CIPP/US, once said such private databases could become the nation’s largest collection of people’s movements. Meanwhile, privacy advocates are concerned that new forms of car insurance discounts are potentially privacy-invasive. (Registration may be required to access this story.)

PRIVACY LAW—U.S.

The Rising Issue of Warrantless Access to Electronic Data (October 2, 2012)

CSO reports on arguments being levied by the American Civil Liberties Union (ACLU) and the U.S. Department of Justice (DoJ) over government surveillance of citizens’ electronic communications. The ACLU has said the Electronic Communications Privacy Act (ECPA) is outdated and does not require court approval for “non-content” information. ECPA’s standard on “non-content” data is “based on an erroneous factual premise, specifically that individuals lack a privacy interest in non-content information,” said an ACLU representative, adding that non-content data paints a “vivid picture of the private details of your life.” Meanwhile, the U.S. Court of Appeals in New Orleans is scheduled to hear a government appeal regarding a warrantless request of cellphone location records, and California Gov. Jerry Brown vetoed a bill that would have required law enforcement to get a warrant prior to obtaining location-tracking data.
Full Story

PRIVACY LAW—EU

Article 29 Working Party: ICANN Updates May Be Unlawful (October 2, 2012)

As the Internet Corporation for Assigned Names and Numbers (ICANN) updates its Registrar Accreditation Agreement, the European Commission’s Article 29 Working Party has said some of the changes may be illegal, Infosecurity Magazine reports. The Working Party has written to ICANN to address its annual re-verification of contact details, which it calls “excessive and therefore unlawful” and a new data retention proposal that would keep personal information on registrants including phone numbers, e-mail addresses and credit card data, “for two years after the registration ceases,” the report states. The Working Party says such retention “does not stem from any legal requirement in Europe” and there is no “legitimate purpose” for the data collection.
Full Story

SSN PRIVACY—U.S.

CA AG and Insurer Reach Lawsuit Settlement (October 2, 2012)

California Attorney General Kamala Harris and Anthem Blue Cross have reached a $150,000 settlement in Los Angeles Superior Court over a data breach incident involving Social Security numbers, the Associated Press reports. Between April 2011 and March 2012, letters were mailed to Medicare Supplement and Medicare Part D subscribers that included the recipients’ Social Security numbers, a violation of California state law. An Anthem spokeswoman said there has been no indication that recipients’ data was abused and the organization has created a new alert system for sensitive subscriber information, the report states.
Full Story

DATA LOSS—U.S.

Breaches Expose Military Veterans’ and University Employees’ SSNs (October 2, 2012)

The Washington Times reports on a breach exposing the Social Security numbers (SSNs) of war veterans from Iraq and Afghanistan. A civilian contractor posted 31 decorated veterans’ SSNs among a list of 500 names and profiles onto a website. A spokesman said the army launched an investigation and ordered the contractor to take the site down. “We take this matter seriously,” the spokesman said. Meanwhile, the University of Chicago is offering to pay for one year of credit monitoring to those affected by a breach involving 9,100 employees’ SSNs. A recent survey found that 26 percent of Americans have been told their personal information has been breached.
Full Story

DATA PROTECTION—U.S.

OS, Exchange Server Enhance Privacy Controls (October 2, 2012)

The Center for Democracy and Technology (CDT) says it approves of the privacy features Apple recently incorporated to its iOS 6 operating system, Computerworld reports. In a recent blog post, the CDT said it “applauds Apple’s decision to incorporate these substantial pro-privacy elements into iOS 6, allowing users to finely control how their data gets shared with specific apps and to more easily express a desire not to be tracked by marketers,” adding, “We hope that this effort encourages mobile OS vendors to continue to iterate and compete on built-in privacy controls.” Meanwhile, in PCWorld, Tony Bradley says the enhancement of data protection controls in Microsoft’s Exchange Server will help IT admins keep data safe.
Full Story

EMPLOYEE PRIVACY—U.S.

Experts Discuss BYOD Risks (October 2, 2012)

In this exclusive for The Privacy Advisor, experts Bill Cook and Andrea Ward discuss the security and privacy concerns associated with “bring your own device” (BYOD). While the BYOD trend has been gaining ground in recent months, senior management will need to consider security and privacy risks including data ownership and access rights, according to Cook and Ward. Meanwhile, a recent Harris survey found 82 percent of respondents were concerned with employers tracking web movement on their personal devices and 86 percent were concerned with the “unauthorized deletion of personal data.” (IAPP member login required for access.)
Full Story

PRIVACY LAW—UK

ICO To Commence Cookie Crackdown (October 1, 2012)
Financial Times reports the Information Commissioner’s Office (ICO) is beginning to crack down on companies not complying with cookie regulations. KPMG Partner Steve Bonner said, “There is still a wait-and-see element among companies. It is much like when you are speeding along the motorway with no police car in sight and everyone else also driving 100 miles an hour. It doesn’t feel risky. But when the police car suddenly pulls out of the lay-by, it will be interesting to see what happens.” Noncompliant organizations may be liable for fines of up to £500,000. (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Facebook: COPPA Changes Violate Constitutional Rights (October 1, 2012)

Facebook says proposed COPPA changes violate free speech rights, The Hill reports. In a filing with the Federal Trade Commission (FTC), Facebook said the proposed provision preventing children under the age of 13 from “liking” or recommending websites violates the First Amendment. “The Supreme Court has recognized on numerous occasions that teens are entitled to First Amendment protection,” the company said. The changes would also prevent websites from installing cookies to track children’s web movements. Facebook has asked the FTC for clarification that “websites will still be allowed to advertise directly to children,” the report states.
Full Story

PRIVACY LAW—MALAYSIA & SINGAPORE

Exploring the State of the PDPA (October 1, 2012)

Singapore recently had its first reading of its Personal Data Protection Act in Parliament, prompting Hariati Azizan of The Star Online to query when Malaysia’s Personal Data Protection Act (PDPA) will be enforced. Malaysia's Information, Communications and Culture Minister Datuk Seri Dr Rais Yatim announced in February that the PDPA would be enforced by the middle of 2012. According to the report, enforcement details will be supplied by the ministry “as early as next month.” Meanwhile, a Malaysian government representative said, “Even though the PDPA has not been enforced yet, there are other relevant laws that can be used to take action against the offenders…”
Full Story 

PRIVACY LAW—EU

German MEP Calls for Tighter Rules on Social Networks (October 1, 2012)

A member of the European Parliament has called for tighter controls of online social networks under the EU’s proposed data protection framework, Reuters reports. Germany’s Jan Philipp Albrecht, who is heading up the European Parliament’s work on the draft framework, says a recent incident involving Facebook users’ allegations that their personal messages appeared on their public profiles indicates the need for increased user control over data. “The informed and explicit agreement of all those affected by data processing must be a guiding principle,” said Albrecht. The CNIL met with Facebook last week about the incident and accepted Facebook’s explanation that the incident was a misunderstanding and not a breach.
Full Story

CLOUD COMPUTING—EU & UK

Commission, ICO Release Cloud Guidance (October 1, 2012)

The European Commission and the UK Information Commissioner’s Office (ICO) both released guidelines on cloud computing last week, SC Magazine reports. EU Digital Affairs Commissioner Neelie Kroes announced plans for the development of European standards and certifications on the technology by 2013, estimating it could boost the private-sector and public-services economies by €160 billion within years. “But this can only happen if we get the policies right,” said Kroes. The ICO issued guidance reminding businesses they are responsible for the data they store in the cloud, regardless of who processes it. Meanwhile, a survey has found regulatory and privacy issues among the reasons widespread cloud adoption is slow.
Full Story

DATA PROTECTION

BYOD Gives Rise To Maze of Legal Risks (October 1, 2012)

The growth of bring-your-own-device (BYOD) policies brings with it “a minefield of legal questions and risks,” The Washington Post reports. Demand for legal services for data privacy and security “has skyrocketed” and has propelled a number of law firms to build out privacy protection practices. Meanwhile, a new Harris survey has revealed that nearly 80 percent of employees would not give their employers access to view what apps are on their devices. (Registration may be required to access this story.) Editor’s Note: The IAPP will host the breakout session Do You Know Where Your Employees Are? Managing Mobile Workforce Devices and Employee Monitoring for a Mobile Workforce at next week’s Privacy Academy in San Jose, CA.
Full Story