Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY LAW—U.S.

Senate Committee Approves E-Privacy Bill (November 30, 2012)
The Senate Judiciary Committee Thursday approved a bill aimed at improving privacy protections for e-mails and other electronically stored data, The New York Times reports. The proposed bill would require law enforcement authorities to obtain a warrant prior to accessing electronic messages. The bill is not expected to make it through Congress this year, but the Center for Democracy & Technology called it a “historic” step. Committee Chairman Patrick Leahy (D-VT) said, “Like many Americans, I am concerned about the growing and unwelcome intrusions into our private lives in cyberspace,” adding, “I also understand that we must update our digital privacy laws to keep pace with the rapid advances in technology.”

ONLINE PRIVACY

Deep Packet Inspection Standards Raise Concerns (November 30, 2012)

The United Nations’ International Telecommunications Union has approved a deep packet inspection (DPI) standard that is raising privacy and security concerns, IDG News Service reports. The Center for Democracy & Technology’s (CDT) website says the standard—known as the “Requirements for Deep Packet Inspection in Next Generation Networks,” or Y.2770”—“could give governments and companies the ability to sift through all of an Internet user’s traffic—including e-mails, banking transactions and voice calls—without adequate privacy safeguards.” CDT Chief Computer Scientist Alissa Cooper said, “There is a general lack of attention to design considerations we think are important to Internet users, namely privacy and security. Obviously DPI has the potential to be an extremely invasive technology."
Full Story

PRIVACY LAW—UK

Leveson Publishes Report on Data Protection Act (November 30, 2012)

Lord Justice Leveson has published his report to the Ministry of Justice on the Data Protection Act, reports Field Fisher Waterhouse’s Privacy and Information Law Blog. The recommendations include amending the right to compensation; repealing “certain procedural provisions around journalism”; extending the Information Commissioner Office’s prosecuting powers to include offences related to breaches of the Data Protection Principles, and reconstituting the ICO to become an information commission led by a board of commissioners.
Full Story

PRIVACY LAW—AUSTRALIA

Mixed Reactions to Privacy Act Amendments (November 30, 2012)

COMPUTERWORLD reports on mixed reactions to amendments to the Privacy Act, passed in the Australian Parliament this week. The Privacy Amendment (Enhancing Privacy Protection) Bill 2012 gives Privacy Commissioner Timothy Pilgrim additional powers, including the ability to issue million-dollar fines to government agencies and companies that repeatedly violate the law. Jodie Sangster of the Association for Data-driven Marketing & Advertising says the opportunity was missed to create a model privacy framework for the digital era, though she praised some of the amendment’s provisions.
Full Story

SURVEILLANCE—U.S.

Lawmakers Unimpressed with FAA Drone Response (November 30, 2012)

Reps. Ed Markey (D-MA) and Joe Barton (R-TX) are dissatisfied with Federal Aviation Administration (FAA) responses to the representatives’ April inquiry on the ways privacy concerns are being addressed with respect to domestic drones, The Hill reports. The FAA said it “recognizes that there are privacy concerns” but doesn’t require drone operators to follow privacy guidelines, the report states. “It took the FAA five months to answer seven questions,” Barton said. “I wish I could say the responses were worth the wait, but it was clear the agency isn’t focusing enough on privacy.” Meanwhile, a privacy impact assessment on Department of Homeland Security tests of small drones in Oklahoma indicates few privacy concerns, though actual deployment will present them, Fierce Homeland Security reports.
Full Story

HEALTHCARE PRIVACY—U.S.

Healthcare Chain Fined $95,000 for Breaches (November 30, 2012)

The California Department of Public Health has fined hospital chain Prime Healthcare Services, Inc., for violations of patient confidentiality, Los Angeles Times reports. The $95,000 fine was levied after it was learned Shasta Regional Medical Center—which operates under Prime Healthcare Services—shared a woman’s medical files with the media and sent information about her treatment to 785 hospital employees. Prime Healthcare has appealed the fine. A company spokesperson said, “Shasta Regional Medical believes that disclosures, if any, were permitted under both federal and state law. Shasta Regional Medical Center is committed to the privacy of its patients.”
Full Story

ONLINE PRIVACY

UN Deep Packet Inspection Standards Raise Concerns (November 30, 2012)

The United Nations’ International Telecommunications Union has approved a deep packet inspection (DPI) standard that is raising privacy and security concerns, IDG News Service reports. The Center for Democracy & Technology’s (CDT) website says the standard—known as the “Requirements for Deep Packet Inspection in Next Generation Networks,” or Y.2770”—“could give governments and companies the ability to sift through all of an Internet user’s traffic—including e-mails, banking transactions and voice calls—without adequate privacy safeguards.” CDT Chief Computer Scientist Alissa Cooper said, “There is a general lack of attention to design considerations we think are important to Internet users, namely privacy and security. Obviously DPI has the potential to be an extremely invasive technology."
Full Story

PRIVACY LAW—AUSTRALIA

Privacy Commissioner Granted Additional Powers (November 29, 2012)
The Australian Parliament has passed the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, COMPUTERWORLD reports. The law, slated to go into effect in March 2014, will give the nation’s privacy commissioner new powers, including the ability to pursue civil penalties in serious privacy breach incidents. The commissioner will also be granted the right to conduct privacy assessments for both public and private organizations in Australia. Privacy Commissioner Timothy Pilgrim said, “While I will continue to work with agencies and businesses to help them comply with privacy laws, I will not shy away from using these powers in appropriate cases.”

CHILDREN’S PRIVACY—U.S.

Children Circumvent COPPA Rules (November 29, 2012)

Facebook prohibits children under the age of 13 from signing up for an account, per COPPA rules; however, children often lie to get around the age requirement—an estimated five million children under 13 had Facebook accounts this year, according to Consumer Reports. A recent study by the Polytechnic Institute of New York University has found that, “in a given high school, a small portion of students who lie about their age to get a Facebook account can help a complete stranger collect sensitive information about a majority of their fellow students,” The New York Times reports. One of the study’s authors says COPPA seems to encourage kids to lie about their age online. Meanwhile, Rep. Lee Terry (R-NB) will become the new chairman of the Commerce, Manufacturing and Trade subcommittee, which has jurisdiction over the FTC and its online privacy efforts, including its work on COPPA. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

New Devices Test Laws’ Applicability (November 29, 2012)

New medical devices are testing traditional definitions of medical records and therefore the application of privacy laws surrounding them, The Wall Street Journal reports. Amanda Hubbard, for example, wears a defibrillator implant in her chest that collects data on her heart rhythm changes and sends that data to Medtronic, Inc., which shares it with her doctor. Rival companies collect similar data from their patients. Medtronic says it’s contemplating selling the data to insurance companies to predict disease and lower premiums. One expert says prescribed devices are generally covered under HIPAA laws, but mobile apps that allow patients to monitor their own health, for example, may not be. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

New W3C Mediator Looks To Salvage DNT Process (November 29, 2012)

The New York Times reports on the “acrimonious discussions” within the World Wide Web Consortium’s (W3C) effort to work out a global Do-Not-Track standard and the difficult task facing newly appointed W3C Co-Chair Peter Swire, CIPP/US. “People can choose not to have telemarketers call them during dinner. The simple idea is that users should have a choice over how their Internet browsing works as well,” Swire said, adding, “The overarching theme is how to give users choice about their Internet experience while also funding a useful Internet.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

Her Job: Manage the Data for the 2012 Olympics (November 29, 2012)

Patricia Poku isn’t new to data protection. A quick glance at her resume would tell you that. In fact, she’s spent the last 20 years or so in the field. But perhaps no amount of experience could have prepared her for the herculean task she most recently took on: head of data protection at London 2012—the Olympics and the Paralympics. In this exclusive for The Privacy Advisor, Poku discusses the challenges she faced in this “once-in-a-lifetime experience in data privacy,” including overseeing roughly 85 databases—each containing an average of about 100,000 data sets—and training a constant influx of new volunteers and staff on the importance of data protection.
Full Story

DATA LOSS—UK & U.S.

Breaches Affect NASA Employees, UK Civil Servants (November 29, 2012)

In January 2011, NASA employees lost a Supreme Court case against the agency claiming its background checks violated privacy rights. This month, some of those employees received a letter warning them that a data breach at the agency may have exposed their personal information, The New York Times reports. The Government Accountability Office says NASA has experienced “numerous cyberattacks” in recent years and in 2009 issued a report titled “NASA Needs to Remedy Vulnerabilities in Key Networks,” the report states. Meanwhile, the UK’s Civil Service Sports Club is notifying more than 100,000 British civil servants of a breach that occurred two years ago and may have resulted in the theft of their personal information. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

Top Gov’t Breaches of 2012, UAMS Reports Breach (November 29, 2012)

Dark Reading reports on the “Top Government Data Breaches of 2012,” including the breach of 3.3 million unencrypted bank account numbers and 3.8 million tax returns at the South Carolina Department of Revenue; the loss of sensitive payroll information on approximately 700,000 individuals at the California Department of Social Services, and the loss of more than 780,000 Utah citizens’ personal information when hackers broke into a server maintained by the Utah Department of Technology Services this spring. An opinion piece in The Salt Lake Tribune says a proposed bill that aims to prevent similar breaches in Utah would “do little, if anything.” Meanwhile, the University of Arkansas for Medical Sciences has alerted 1,500 patients of a breach.
Full Story

DATA PROTECTION—EU

EU Commissioner Threatens Antitrust Action for Data Portability Violations (November 28, 2012)
Indicating support for the draft data protection regulation, EU Competition Commissioner Joaquín Almunia has threatened antitrust action for businesses that fail to comply with data portability rules provided under the draft. In a speech in Brussels this week, Almunia said consumers must be able to “easily and cheaply” transfer their data from one company to another in order for competition to thrive. “The proposed regulation aims to ensure the ‘right of portability,’” he said, adding that although the commission has not investigated such a case yet, firms’ use of personal data to “keep competition at bay” is possible.

ONLINE PRIVACY

W3C Appoints Swire, Looks To Jumpstart DNT (November 28, 2012)

The World Wide Web Consortium (W3C) has appointed Ohio State University Law Prof. Peter Swire, CIPP/US, as co-chair of the Tracking Protection Working Group—a group charged with defining the Do-Not-Track (DNT) protocol and establishing an agreement on what a DNT signal will mean in practice. The Wall Street Journal reports that chances of a DNT deal by the end of the year are slim. The Center for Digital Democracy’s Jeffrey Chester said, “It’s a sinking ship,” while the Digital Advertising Alliance’s Stuart P. Ingis noted the process is broken. Previous Working Group Co-Chair Aleecia McDonald, a Stanford privacy researcher, said she supports the new leadership in the face of what has recently become a “very contentious” process. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO Fines Text-Spammers 440,000 Pounds (November 28, 2012)

The Information Commissioner’s Office (ICO) has fined the two owners of Tetrus Telecoms 440,000 pounds for sending out illegal text messages that offered compensation for accidents and then selling the collected data to claims management firms for profit. It is the first time the ICO has levied such a fine to the illegal marketing industry and, the report states, three additional firms may be in the agency’s sights. Information Commissioner Christopher Graham said, “The public have told us that they are distressed and annoyed by the constant bombardment of illegal texts and calls, and we are currently cracking down on the companies responsible, using the full force of the law.”
Full Story

CLOUD COMPUTING—CANADA

Laws Expose Firms to Class-Action Risks (November 28, 2012)

Financial Post reports on lawyers’ assertions that the rapid development of privacy laws in Canada—while private- and public-sector businesses increasingly store customer data in the cloud—could lead to an influx of class-action lawsuits for data losses. Under anti-spam legislation and the recently established common law tort, plaintiffs have a “tremendous ability” to bring claims without proving harm, said Alex Cameron, an attorney at Toronto’s Fasken Martineau DuMoulin. “Over the past two years, Canada has seen a number of developments which point to a great increase in class-action activity for privacy-related issues,” he said. Federal privacy legislation holds businesses responsible for information processed by a third-party, the report states.
Full Story

DATA PROTECTION—NEW ZEALAND

Shroff: Gov’t Agencies Must Improve (November 28, 2012)

Privacy Commissioner Marie Shroff says government agencies must improve their privacy practices if they want to regain public trust, Stuff.co.nz reports. That warning is based on the commissioner’s annual report, which indicates public concern about companies’ use of personal information. The commissioner’s office received a record-high 1,142 complaints in the measured year, which ended June 30. Shroff said breaches at the Accident Compensation Corporation and Social Development Ministry indicate a need for government agencies—the subject of the majority of consumer complaints—to take privacy more seriously. “The tech revolution has crept up on them,” Shroff said.
Full Story

PRIVACY LAW—U.S.

New Version of Privacy Bill Gets Advocates’ Support (November 28, 2012)

The latest version of Sen. Patrick Leahy’s (D-VT) draft electronic privacy bill has gained the support of the American Civil Liberties Union (ACLU) and the Center for Democracy & Technology (CDT), The Hill reports. Released Monday night, the new version will not include broad exceptions for civil investigations, the report states. The ACLU’s Chris Calabrese said, “We’re very happy that all contents, e-mails and other communications are protected by a warrant,” adding, “The central tenant of the bill remains unchanged. We think that’s a big win for privacy, and we of course hope it lasts through the markup.” The CDT’s Greg Nojeim said the bill is “significantly improved as compared to the draft that was circulating last week.”
Full Story

STUDENT PRIVACY—U.S.

School Smart ID Badges Spur Privacy Suit (November 28, 2012)

A Texas school district experimenting with “locator” chips in student identification cards has been sued by the family of a student, the Associated Press reports. The so-called SmartID badges allow school administrators to track students by location, but one family says the badges infringe on the student’s religious and privacy rights. According to the report, a state district judge was set to hear the case this week, but Northside Independent School District officials have asked that the case be moved to a federal court.
Full Story

PRIVACY LAW—SINGAPORE

Opinion: PDPA Leaves Open Privacy Loopholes (November 28, 2012)

The newly inked Personal Data Protection Act (PDPA) may have “a few holes, and the pace of change in technology could mean it is already out of date,” opines Richard Hartung in TODAYonline. The PDPA mandates that organizations acquire users’ consent prior to data collection and processing, but Hartung notes “organizations may engage reams of lawyers to ensure their documents provide the consent from consumers that the law requires.” According to the bill, data can only be used for purposes that “a reasonable person would consider appropriate,” which leaves a “diverse” set of “interpretations of what is ‘reasonable,’” writes Hartung.
Full Story

HEALTHCARE PRIVACY—U.S.

OCR Issues De-Identification Guidance (November 27, 2012)
The Department of Health and Human Services’ Office for Civil Rights has released guidance on methods for de-identification of protected health information in accordance with the HIPAA Privacy Rule. The guidance synthesizes stakeholder input solicited during a March workshop in Washington, DC, consisting of panel sessions on topics related to identification methodologies and policies. Wiley Rein’s Kirk Nahra, CIPP/US, says the new guidance “satisfies one of the many remaining HITECH obligations for HHS. It is a very technical and complicated document and breaks little new ground. It is mainly a ‘best practices’ document rather than new guidance or change in interpretation or approach. We can only hope that issuance of this guidance—which has a September 4 date on it, despite being issued on November 26—means that other HITECH/HIPAA guidance, including the long anticipated final rules, are coming soon.” Meanwhile, feedback on stage three of the HITECH Act’s electronic health record incentive program is being accepted through January 14.

PRIVACY LAW—U.S.

ECPA Changes Would Cover Cloud, Groups Urge Bipartisan Support (November 27, 2012)

Proposed changes to the Electronic Communications Privacy Act (ECPA) set for a Senate hearing this Thursday include a provision to protect consumer data stored in the cloud from warrantless searches by law enforcement, NBCNews.com reports. Greg Nojeim of the Center for Democracy & Technology said, “Requiring a warrant for e-mail and other information stored in the cloud would provide privacy to consumers, certainty to law enforcement and clarity to the companies that receive law enforcement demands.” In an op-ed for The Hill, Americans for Tax Reform’s Grover Norquist and the ACLU’s Laura W. Murphy urge bipartisan support for an upgrade to ECPA as it “has become outdated.”
Full Story

DATA PROTECTION—EU

Almunia: Consumer Protection and Competition Must Find Balance (November 27, 2012)

In a speech in Brussels this week on “Competition and Privacy in Markets of Data,” Vice President of the European Commission Joaquín Almunia said privacy is becoming one of the central debates of our time. That’s thanks to technological and commercial developments enabling ever-increasing data collection possibilities and companies’ efforts to target services to consumers’ specific needs. Citing a number of privacy violations involving multiple firms, Almunia said it’s “necessary to strike the right balance between regulation and competition policy enforcement” via a “strong and effective consumer policy.” The forthcoming data protection regulation’s provision on data portability will help to ensure this, he said.
Full Story

EMPLOYEE PRIVACY—CANADA

Drug Testing Vs. Privacy To Be Weighed in Courts (November 27, 2012)

Cases involving employer drug testing and employee privacy are set for hearings in two Canadian courts, the Calgary Herald reports. Next week, the Alberta Court of Appeal will hear from an energy company that is arguing against an injunction preventing the company from implementing random drug testing of employees. Next month, the Supreme Court of Canada will hear a case involving a company’s plans to have employees submit to mandatory breathalyzer tests. Both companies argue the testing improves job safety, but others argue it infringes on employees’ right to privacy. “Unlike the United States…Canada has had little experience with randomly administered on-the-job tests,” the report states. “But that could be about to change.”
Full Story

CLOUD COMPUTING—EU & U.S.

Opinion: EU, Cloud Models on Collision Course (November 27, 2012)

In a column for Wired, Doug Miller writes that “European data protection interests are on a collision course with the current business models of companies such as Facebook and Google, which rely on personal data to thrive.” Miller presents four potential outcomes to this “impasse”—the EU will need to lower policy expectations; cloud providers will need to “substantially” alter their business models; clouds providers may pull out of Europe altogether, or both sides will reach “a sane resolution.” The EU’s stance should matter to U.S. interests, opines Miller, because “what the Europeans are pushing for is something we could all benefit from,” including “more control over and knowledge about how our personal data is used by cloud providers.”
Full Story

PRIVACY LAW—SINGAPORE

Should Data Protection Act Cover Public Entities? (November 27, 2012)

A ZDNet report examines whether Singapore’s forthcoming Personal Data Protection Act (PDPA) should be expanded to cover public agencies in addition to the private sector, making the legislation more “transparent, robust and comprehensive.” The act comes into force in January and includes a do-not-call registry and the creation of a new enforcement agency to regulate private-sector use of personal data. Elle Todd, of the law firm Olswang, said the law does not include government agencies because of an existing regime, which, in some instances, contains rules stricter than that of the PDPA. She added, however, that it may make sense to integrate the laws to have one general act.
Full Story

BEHAVIORAL TARGETING—U.S.

Industry’s Self-Reg Efforts Hampered (November 27, 2012)

AdAge reports on the challenge facing the advertising industry’s efforts to demonstrate to the government that self-regulation is possible. The Digital Advertising Alliance has created an Ad Options icon supplying consumers with information about the data advertisers are collecting about them to serve targeted ads. The effort is being hampered, however, by the lack of participation by Facebook—the largest publisher of display ads in the U.S., the report states. “Facebook’s failure to participate in self-regulation makes the entire initiative very easy to criticize,” said Jim Brock, founder of PrivacyChoice. “They do not do the program a favor by stepping outside of it.”
Full Story

SOCIAL NETWORKING

Regulators, Advocates React to Data Use Changes (November 26, 2012)
Proposed changes to Facebook’s data use policy have some regulators and privacy advocates concerned about potential privacy violations, The Washington Post reports. Announced last Wednesday, the changes would include a plan to share data with affiliates such as Instagram, instituting “new filters for managing incoming messages” and ending the user voting system for policy changes. Ireland Deputy Data Protection Commissioner Gary Davis has “expressed confidence” the company will give European users the right to approve or deny affiliate data sharing. Davis said, “We expect Facebook to be reverting (to previous policies) on these issues.” At least two privacy advocacy groups are expected to file a complaint with the FTC over the proposed changes. (Registration may be required to access this story.)

PRIVACY LAW—EU & UK

Gov’t Assessment Indicates Regulation Would Cost Companies (November 26, 2012)

The UK government says EU data protection laws will result in extra costs rather than savings for businesses, Out-Law.com reports. The net cost of annual compliance with the draft data protection regulation would be between 100 and 360 million pounds for UK businesses, public-sector organizations and charities, according to Justice Minister Helen Grant, who says the “burdens the proposed regulation would impose far outweigh the net benefit estimated by the commission.” Grant’s comments are based on a recent impact assessment published by the UK Ministry of Justice. The commission has said it anticipates reforms to save organizations 2.3 billion euros annually in administrative costs.
Full Story

PRIVACY LAW—EU & U.S.

Opinion: EU, U.S. At Important Crossroad (November 26, 2012)

In an opinion piece for European Voice, U.S. Department of Commerce General Counsel Cameron Kerry discusses the need for a global framework for national privacy policies. Kerry says the U.S. and EU “must take care to preserve the free flow of data that supports one of the most significant trade relationships in the world. Otherwise, our good intention to protect privacy could hinder the economic growth that both sides need.” The Safe Harbour framework has been a great success for streamlined compliance with laws and sufficient consumer protection, and the U.S. and European Commission are making efforts to enhance the framework, Kerry says, adding the EU and U.S. are at an important crossroad.
Full Story

MOBILE PRIVACY—U.S.

Legal Consensus Lacking in Searches of Cellphones (November 26, 2012)

The New York Times reports on the lack of consensus among U.S. lawmakers and judges on whether and when law enforcement has the right to search a suspect’s cellphone. Electronic Frontier Foundation’s Hanni Fakhoury said, “The courts are all over the place.” According to the report, the issue will garner attention on Thursday when a Senate committee considers changes to the Electronic Communications Privacy Act (ECPA). Ohio State University Law Prof. Peter Swire, CIPP/US, said neither ECPA nor the Constitution took “into account what the modern cellphone has—your location, the content of communications that are easily readable, including Facebook posts, chats, texts and all that stuff.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRALIA & NEW ZEALAND

Commissioners Call for Increased Powers (November 26, 2012)

Privacy Commissioners in Australia and New Zealand are seeking increased powers to combat data breaches and other privacy concerns, COMPUTERWORLD reports. At the iappANZ Privacy Summit last week, New Zealand Privacy Commissioner Marie Shroff said regulators must be responsive to privacy incidents and if breaches continue, “people will lose trust.” At the same event, Australian Privacy Commissioner Timothy Pilgrim reported his office received 1,357 privacy complaints in the 2011-2012 fiscal year, adding privacy concerns “remain at the forefront of people’s minds.” Australian Prime Minister Julia Gillard announced the government will conduct an inquiry into “institutional responses to child sex abuse claims” related to the protection of personal information, which New South Wales Privacy Commissioner Elizabeth Coombs says will test the balance between open information and data protection.
Full Story

PRIVACY LAW—INDIA

Minister Seeks Data Protection Act (November 26, 2012)

State IT Minister Ponnala Lakshmaiah is pushing for nationwide data protection legislation for India, the Deccan Chronicle reports. In a letter to the union minister for communication and information technology, Lakshmaiah wrote, “India, in its immediate surroundings, has a problem to tackle in the form of a bad reputation that the outsourcing industry has earned abroad because of large-scale thefts in the recent past.” During a visit to the UK, the minister said industry representatives strongly recommended that India take up data protection legislation. “Unlike the U.S. or the European Union, India does not have a Data Protection Act,” said Lakshmaiah, adding that the “need for a specific and stringent legislation” is of “paramount importance.”
Full Story

PERSONAL PRIVACY—U.S.

Drivers Opt-In To Behavior-Based Insurance Rates (November 26, 2012)

The New York Times reports insurance companies are increasingly offering discounts to drivers willing to have their driving behavior captured and analyzed in hopes of discounts on their auto insurance. The driving data is collected with a small device drivers connect to their car’s computer system that records such details as distance traveled and second-by-second speed. Progressive’s model intentionally does not collect GPS details “so the car’s exact location is not known; otherwise, more drivers might be nervous about using it,” the report states, noting concerns, however, about how such driving data could be used in post-accident investigations and litigation. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

The Personalities, Challenges Behind Proposed Regulation (November 21, 2012)
The New York Times explores two personalities behind the development of the proposed EU data protection regulation. With Ireland poised to assume the presidency of the EU, Ireland Minister of Justice, Equality and Defense Alan Shatter will be faced with the “big challenge” of cobbling together an agreement for a new EU privacy regime. Shatter said, “I think it is possible to reconcile the legitimate and economically important activities of the advertising industry with privacy issues.” Isabelle Falque-Pierrotin, head of France’s data protection authority (CNIL), discusses the CNIL’s investigation of Google and her preference for the current decentralized system of regulators but with improved cooperation among national authorities. Meanwhile, the top cybersecurity agency in Europe has said there are “technical limitations” to the right to be forgotten. (Registration may be required to access this story.)

PRIVACY LAW—EU

Commission To Renegotiate Convention 108 (November 21, 2012)

The European Commission (EC) has adopted a recommendation allowing it to negotiate the modernization of the Council of Europe’s convention on data protection (Convention 108) on behalf of the EU, according to an EC press release. EU Justice Commission Vice President Viviane Reding said she is “very pleased to see the Commission representing the EU at the negotiating table in the Council of Europe. We are setting new and higher standards for data protection in the EU,” and added, “But in this brave new digital age, data knows no national borders—these negotiations are an opportunity to build a new gold standard of data protection across the globe.”
Full Story

ONLINE PRIVACY—U.S.

Varying Reports on Content of E-mail Privacy Bill (November 21, 2012)

A CNET News report says a Senate proposal aimed at protecting citizens’ e-mail privacy has been “quietly rewritten” and now gives government agencies more surveillance power. Sen. Patrick Leahy (D-VT) rewrote the bill following concerns from law enforcement, the report states. Forbes reports, however, that the version of the bill CNET News reported on is not the version that will be considered at a hearing next week. A Senate judiciary aide said Leahy “does not support carve outs for warrantless searches of e-mail content” and that he “remains committed to upholding privacy laws and updating the outdated Electronic Privacy Communications Act.”
Full Story

DATA LOSS—U.S. & NEW ZEALAND

Breaches at Insurance Co, Payroll Co, and One ID Theft Conviction (November 21, 2012)

Hackers accessed the information, including Social Security numbers, of more than 28,000 Nationwide Mutual Insurance Co. customers in Georgia and an unknown amount in other regions of the U.S. spurring an FBI investigation, reports The Atlanta Journal-Constitution. Meanwhile, a U.S. federal jury has convicted a man of identity theft and conspiracy to gain unauthorized access to computers after stealing more than 120,000 e-mail addresses belonging to iPad users. And in New Zealand, the personal information of 12 teachers at Nelson schools was added to a Waikato school's payroll list. The information included personal addresses, cellphone numbers and bank details. The breach is related to a new payroll system the Ministry of Education implemented, and it is being attributed to human error.
Full Story

PRIVACY LAW—U.S.

Judge Dismisses Breach Class-Action (November 21, 2012)

Alan Pate of Baker & Hostetler reports on a federal judge’s November 14 ruling in the Western District of Washington dismissing a class-action lawsuit against video-game developer Valve Corporation. The suit followed a breach of the video game’s distribution platform, “Steam,” in which hackers gained access to Steam subscribers’ billing addresses, online IDs, passwords and credit card information. The subscribers sued, but Federal Judge James Robart said the plaintiffs failed to adequately plead damages, adding that when “personal information is compromised due to a security breach, there is no cognizable harm absent actual fraud or identity theft.” (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

Healthcare Organizations Await Final Rules (November 21, 2012)

GovInfoSecurity reports on lingering uncertainty surrounding the much-delayed omnibus package of healthcare regulations. The regulation will include modifications to HIPAA’s breach notification rules, including clarification about when a breach must be reported, and will specify that using genetic information for insurance underwriting is a privacy violation. Some healthcare organizations report difficulty setting privacy and security priorities without the regulations. The Department of Health and Human Services Office for Civil Rights (OCR) has not indicated when the final rules will be handed down. A former OCR employee speculates, however, that the rules will be published in December.
Full Story

EMPLOYEE PRIVACY—U.S.

Health Incentive Programs Cause Concerns (November 21, 2012)

Incentive programs offered by employers for discounts on health insurance premiums are causing concerns about employee privacy, Minnesota Public Radio reports. At the University of Minnesota Press, for example, employees will receive a $300 discount on health insurance premiums in 2013 for participating in a health-risk questionnaire, health coaching and biometric screening, the report states. One expert says about 90 percent of companies offer health-based incentives. Despite the University of Minnesota’s assurance that health data on employees is collected by a third party and returned as an aggregate number, some have expressed concerns. The Center for Democracy and Technology’s Deven McGraw recommends employees ask questions about data collection and use.
Full Story

PRIVACY LAW—EU

Company Warns of Non-Cooperation, Lengthy Court Battles (November 20, 2012)
Out-Law.com reports on comments by Facebook concerning the inclusion of fines of up to two percent of a company’s global turnover for violations of the proposed EU data protection reforms. In comments to the Irish data protection commissioner, the social networking company said businesses may withdraw from cooperation with regulators and engage in lengthy court battles, the report states. “The high level of potential sanctions for breaches of the regulation risks turning relations between companies and regulators into a combative one and may undermine the incentive of Internet companies to invest in the EU,” Facebook has stated.

ONLINE PRIVACY

Group Working on Privacy Policy Iconography (November 20, 2012)

A group of lawyers, coders and industry representatives have begun an experiment to make privacy policies “more palatable” to online users, The New York Times reports. The goal is to comb through the privacy policies of 1,000 websites and assign corresponding icons to educate users on how a website uses, shares and retains personal information. Mozilla Chief Privacy Officer Alex Fowler, whose firm is housing the experiment, said, “We are in a model now where no one reads privacy policies…Does icon-ifying them make it of interest to the user? We have a ways to go.” (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—CANADA

Commissioner Calls For Answers on Mini-Visas (November 20, 2012)

Privacy Commissioner Jennifer Stoddart is raising concerns about a new mini-visa that will require some visitors to Canada to disclose personal information that may include details about their mental health status and drug use, Canada.com reports. Stoddart has called on the government to ensure that details of the Electronic Travel Authorization (eTA), part of Canada’s Beyond the Border security deal with the U.S., are lawful. “One of my office’s concerns about the eTA program is its lack of transparency and the degree to which the details of the program are deferred to regulation,” she said, adding questions on data use, retention and government sharing have not yet been addressed.
Full Story

EMPLOYEE PRIVACY—U.S.

State Seeks To Protect Social Media Accounts (November 20, 2012)

XpertHR reports on a New Jersey bill that aims to prohibit employers from requiring potential or current employees to provide usernames and passwords to social networking websites. California, Illinois and Maryland, among other states, have passed similar bills. AB 2878, which passed the New Jersey Senate and now moves on to the Assembly, also prohibits employers from inquiring as to whether a prospective or current employee has an account or profile on a social networking site and allows for civil penalties against employers in the amount of $1,000 for a first violation and $2,500 for a second—collectible by the commissioner of labor and workforce development.
Full Story

DATA PROTECTION—GERMANY

German DPAs Adopt Resolutions on EU Reform, IPv6 (November 20, 2012)

German state and federal data protection authorities (DPAs) have adopted resolutions backing the European Commission’s work in harmonizing data protection law with the EU’s proposed regulation and introducing the migration from IPv4 to IPv6, Hunton & Williams’ Privacy and Information Security Law Blog reports. The resolutions came out of the 84th Conference of the German Data Protection Commissioners, a bi-annual conference that includes all 16 state DPAs and Federal Commissioner for Data Protection and Freedom of Information Peter Schaar. The DPAs also published guidelines, in German, on the separation of data processing in the context of shared IT systems.
Full Story

CLOUD COMPUTING—U.S.

Opinion: Schools Should Be Aware of Cloud Risks (November 20, 2012)

An op-ed in The Huffington Post discusses schools’ increasingly common inclination to hire outside companies to manage personal information. Cloud providers can manage data more effectively, efficiently and securely, the author suggests, but risks exist—including that some providers may outsource data to jurisdictions with weak privacy protections. As such, educational administrators should take precautions in choosing a cloud provider by asking questions about its data security and privacy practices, the report states. Cloud providers should agree to maintain data confidentiality and should have the appropriate safeguards for data protection, including data retention limits and proper employee training.
Full Story

ONLINE PRIVACY—U.S.

Electronic Ad Sales System Raises Profiling Concerns (November 19, 2012)
The New York Times reports on little-known electronic ad sales systems helping run “the hyperkinetic world of digital advertising” in a form that “happens automatically, and imperceptibly, to most consumers.” The report states, “On the web, powerful algorithms are sizing you up, based on myriad data points: what you Google, the sites you visit, the ads you click,” adding, “Then, in real time, the chance to show you an ad is auctioned to the highest bidder.” Federal regulators and consumer advocates worry the practice “could unfairly stratify consumers,” the report states. “As you profile more and more people, you’ll start to segregate people into ‘the people you can get money out of’ and ‘the people you can’t get money out of’,” said the Electronic Frontier Foundation’s Dan Auerbach. (Registration may be required to access this story.)

CONSUMER PRIVACY—U.S.

Liebowitz Discusses DNT, COPPA, Fines (November 19, 2012)

In a Q&A for The Wall Street Journal, Federal Trade Commission (FTC) Chairman Jon Liebowitz discusses the current state and future of Do Not Track (DNT), COPPA and the FTC’s recent $22.5 million fine of Google. In discussing DNT, Liebowitz said, “if industry doesn’t give consumers some modest control over where their data go, they risk a legislative backlash that will be much more prescriptive next year.” The chairman was optimistic about COPPA, noting, “We’ll finish it up by the end of the year, I’m pretty sure.” Regarding the Google settlement, Liebowitz said, “We like to think that we are the cop on the beat protecting privacy.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Judge Approves Settlement (November 19, 2012)

U.S. District Court Judge Susan Illston has ruled that the proposed legal settlement in which Google agreed to pay a record fine of $22.5 million for privacy violation allegations is “fair, adequate and reasonable,” Mercury News reports. The settlement follows an FTC investigation into Google’s use of cookies to track users of Apple’s Safari web browser. Advocacy group Consumer Watchdog had said the settlement does not prevent Google from conducting similar tracking in the future and does not require it to destroy data already collected, calling for a tougher settlement. Illston said she agrees with the FTC that the settlement “sufficiently protects consumers from ongoing harm without exposing them to additional risks.”
Full Story

SOCIAL NETWORKING—U.S.

Judge Considering New Settlement (November 19, 2012)

Reuters reports on U.S. District Judge Richard Seeborg’s consideration of Facebook's second attempt to settle allegations of privacy rights violations. Seeborg rejected a proposed class-action settlement related to Facebook’s “Sponsored Stories” earlier this year and promised a ruling "very shortly" on a revised proposal that would allow users to claim cash payments of $10 from a $20 million settlement fund, with remaining funds going to charity, the report states. In court Thursday, a Facebook attorney said the settlement provided “meaningful protections,” adding the judge should “ensure a fair settlement—not write national privacy policy,” the report states. “Trust me, I'm not proposing to set grand policy with privacy issues writ large,” Seeborg said.
Full Story

ONLINE PRIVACY—EU

Survey: Minority of EU Websites Get Cookie Consent (November 19, 2012)

According to a recently released survey, a small number of websites based in the EU ask visitors for their consent to store cookies on a users’ computers, IDG News Service reports. Not one of the 50 most popular websites in France and Germany feature a pop-up asking for consent. The TRUSTe-based survey states 12 percent of UK-based websites have taken steps to comply with the cookie directive “with an onscreen pop-up, banner or tab informing users about cookies on the site.”
Full Story

CONSUMER PRIVACY—UK

OFT To Investigate Personalized Pricing (November 19, 2012)

The UK’s Office of Fair Trading (OFT), a regulator that oversees consumer protection issues, has initiated a “call for information” on possible consumer law violations by businesses collecting and using online behavioral data to offer individualized prices to consumers. The OFT said it “will look at how businesses use such consumer information, including whether they change the prices they offer individual shoppers as a result” and added it “will consider business and technological developments in the online shopping market, consumers’ understanding of how their information is used and whether they are being treated unfairly in law as a result of any firms using this practice.”
Full Story

STUDENT PRIVACY—U.S.

Proctoring-by-Webcam for Online Courses (November 19, 2012)

With the increase in numbers of students taking online courses has come the challenge of proving that students are completing the work, reports the MIT Technology Review. Remote proctoring may be the solution. Proctors gain screen-sharing abilities and access to test-takers’ webcam feed allowing them to see the test-takers’ surroundings and what tabs they have open while taking tests. Proctors can intervene and, for example, remind students that consulting a search engine for help with answers is not permitted. “Proctoring tests opens a remarkable window on the world,” one proctor says.
Full Story

BEHAVIORAL TARGETING—U.S.

Data Collection on Voters Important to Political Campaigns (November 19, 2012)

AdAge reports on politicians’ use of data collection tactics that allow their campaigns to target messages to voters. Both political parties in this year’s presidential campaign spent hundreds of thousands of dollars on data services to gain insights on voters, a practice one privacy advocate says should be examined. “The Obama administration and the GOP should confront head-on the privacy issues raised by their far-reaching use of digital profiling and targeted data,” said the Center for Digital Democracy’s Jeff Chester. “It would be unfortunate for the administration’s work to advance Do Not Track and other key safeguards if they failed to tackle the use of powerful data-targeting technologies by political campaigns.”
Full Story

DATA PROTECTION—IRELAND

DPC Investigating Credit Reporting Agency (November 19, 2012)

Ireland’s Office of the Data Protection Commissioner is investigating a credit-reporting agency after a series of breaches of the company’s databases, Bloomberg reports. Deputy Commissioner Gary Davis said the office has opened a preliminary inquiry into Dublin-based Experian’s data security practices following reports that the company’s database had been breached multiple times since 2006, the report states. “At this stage, all we’re doing is probing the matter based on media reports,” Davis said.
Full Story

ONLINE PRIVACY—U.S.

Murky Laws on Gov’t Access Put Onus on Companies (November 16, 2012)
On the heels of Google’s Transparency Report showing increased requests from governments for access to online data, ReadWrite reports that citizens’ “privacy protections are weakening as a result of Congress’ failure to update the Electronic Communications Privacy Act (ECPA),” adding, this puts private companies in the “privacy protector” role. The Wall Street Journal quotes Google's senior counsel as saying “ECPA provisions no longer reflect the way people use the services or the reasonable expectations they have about government access to information they store in the cloud.” The Senate Judiciary Committee will hold a markup on November 29 on legislation that would require police to obtain a warrant before accessing electronic communications.

CLOUD COMPUTING—EU

EDPS Calls for Provider, User Responsibility (November 16, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx has released his opinion on the European Commission communication on “Unleashing the Potential of Cloud Computing in Europe.” The opinion highlights data protection challenges and how the proposed data protection regulation will address them. The commission’s communication proposes key actions and steps to accelerate cloud computing services in Europe. The EDPS notes cloud computing can “bring enormous benefits” but adequate protection must be provided, adding that cloud providers must take responsibility and cloud customers fulfill data protection obligations. “The complexity of cloud computing technology does not justify any lowering of data protection standards,” the EDPS said.
Full Story

PRIVACY LAW—UK

Tribunal To Decide if Orgs Can Appeal Fines after Payment (November 16, 2012)

An Information Rights Tribunal will rule on whether organizations that choose to pay fines issued by the Information Commissioner’s Office (ICO) promptly in order to receive a 20-percent discount reserve the right to appeal the penalty, reports Out-Law.com. The question came up last month when the Scottish Borders Council launched an appeal to a reduced fine it paid earlier this year, saying it had “done so with the caveat that (it) still reserved the right to appeal.” The ICO says, however, "The objectives of the early payment scheme are to…reduce the costs to the public purse,” adding, “The effect of such reservations would be to nullify the advantages which the scheme is intended to achieve."
Full Story

DATA LOSS—U.S.

Breaches Bring Investigations, Costs, Warnings (November 16, 2012)

Naked Security reports that the personally identifiable information of a “large number” of NASA employees and contractors was exposed through the theft of an unencrypted laptop. Meanwhile, Adobe has announced an investigation into the release of 230 names, e-mail addresses and encrypted passwords that a hacker claims to have stolen from a company database containing 150,000 records; a former FBI official estimates the South Carolina Department of Revenue breach to cost businesses upwards of $330 million; Chicago election board officials announced the personal information of about 1,200 registered voters was exposed online, and Alere Home Monitoring is warning 100,000 patients taking anticoagulant drugs that their data was contained on a laptop stolen from an employee’s car.
Full Story

GEO PRIVACY—AUSTRALIA

Expert: Maybe We Need A “Do-Not-Follow” List (November 16, 2012)

SBS World News reports on one privacy expert’s call for a “do-not-follow list” as location-based technologies proliferate. Mapping applications have made it possible to see 75 percent of the Earth in high-resolution images, and future technologies will use smartphone features to enable views inside of parked cars, skyscrapers, airports and shopping centers. Privacy technologies researcher Suelette Dreyfus says because laws can’t keep pace with technology, the government should take the public’s pulse. “Maybe we now need a ‘do-not-follow’ list,” Dreyfus says, where data logged is anonymous.
Full Story

SURVEILLANCE—CANADA

Denham Wants Changes to Licence-Plate Scanning Plan (November 16, 2012)

BC Privacy Commissioner Elizabeth Denham has said police need to make changes to their Automatic Licence Plate Recognition (ALPR) program in order to comply with privacy laws, reports The Globe and Mail. ALPR uses cameras mounted on police vehicles to scan licence plates and flags drivers who have or have had infractions. Denham’s main concern is that, currently, “non-hit” data—that which doesn’t raise a flag—is added to a database and eventually deleted. “Non-hit data is…information that the police have no reason to believe relates to criminal activity. This information is not serving a law enforcement purpose, and therefore (Victoria police) cannot disclose it to the RCMP,” Denham wrote in her report.
Full Story

PRIVACY LAW—ITALY

Garante Sanctions Telecom, Forbids Company’s Video Surveillance (November 15, 2012)

Panetta & Associati’s Rocco Panetta reports on British Telecom Italy’s sanction of €75,000 for not providing the Italian data protection authority (Garante) information it had requested. The Garante had sanctioned the company €20,000, which the company protested with a written defense. But the company’s arguments “were not able to lift the company from liability for not having replied to the Garante,” Panetta writes. Meanwhile, the Garante has given a “green light” to a draft decree “aimed at fixing criteria and procedures of telematic transmission of data” on euros suspected to be counterfeit. The Garante has also forbidden a call-center company from using a video-surveillance system capable of detecting images and conversations.
Full Story

PRIVACY LAW—U.S.

Cybersecurity Bill Voted Down (November 15, 2012)
The Senate has voted 51-47 to block Sen. Joe Lieberman’s (I-CT) cybersecurity bill, POLITICO reports. Some lawmakers and privacy advocates had expressed concern that “serious information-sharing mandates” would become law without proper oversight. The bill, which was co-sponsored by Sen. Susan Collins (R-ME), had been revised after it was voted down in the Senate earlier this year. Meanwhile, President Barack Obama’s administration has been exploring ways to protect the nation from cyber attacks. An executive order “directing agencies to work with industry to establish cybersecurity standards and share information” is one proposal.

CONSUMER PRIVACY—U.S.

FTC Announces Cross-Border Code of Conduct Agenda (November 15, 2012)

The Federal Trade Commission (FTC) has announced the agenda for its forum, Enforceable Codes of Conduct: Protecting Consumers Across Borders, which will explore the use and develpoment of voluntary codes to govern areas not traditionally under government oversight. The agenda includes a speech by former FTC Chairman William Kovacic and panel discussions on the rise of cross-border codes of conduct and two code-based systems, one of which was created to give consumers in the Asia-Pacific region more consistent privacy protections, says an FTC release. The forum is open to the public, and individuals have an opportunity to submit relevant content to be posted to the event website.
Full Story

SURVEILLANCE—EU

EDPS Publishes Report on Spot Inspections (November 15, 2012)

The European Data Protection Supervisor (EDPS) is “reasonably satisfied” after inspecting 13 Brussels-based EU institutions to evaluate their compliance with the 2012 EDPS Video-Surveillance Guidelines. New Europe reports that the inspections were conducted in June and July of this year and found 11 of the 13 institutions provide a data protection notice, though “not in line with the language, format and content requirements of the guidelines.” More needs to be done, the EDPS says, noting most of the institutions did not have their video-surveillance policy available online. Assistant EDPS Giovanni Buttarelli said “the EDPS will continue to closely monitor and follow up video-surveillance compliance by EU institutions and bodies."
Full Story

PRIVACY—CANADA

Veterans Call For Inquiry Into Complaints (November 15, 2012)

The Canadian Press reports on veterans’ calls for inquiries into complaints of alleged privacy violations. After the veterans ombudsman received nine complaints in the last five years, seven of which were referred to the privacy commissioner, Veterans Harold Leduc and Tom Hoppe are calling for investigations by both the ombudsman and Privacy Commissioner Jennifer Stoddart on their filed complaints. A citizens’ group has demanded a public inquiry, alleging that privacy violations at Veterans Affairs targeted advocates.
Full Story

HEALTHCARE PRIVACY—U.S.

Disclosure Bill Passes Committee Unanimously (November 15, 2012)

The Salt Lake Tribune reports on a proposed bill that would require Utah hospitals and clinics to disclose their data-sharing practices on privacy notices. The bill—proposed by Sen. Stuart Reid (R-Ogden) following an April data breach affecting about 780,000 Utah patients’ personal information—has passed the state’s interim Health and Human Services Committee unanimously. The bill would require healthcare providers to notify patients that a provider “has, or may, share their ‘personally identifiable’ information with Medicaid.” It would require the Utah Department of Health to draft the required language and verify that providers comply with the measure.
Full Story

PRIVACY

DPAs Discuss Self-Regulation, Cross-Border Rules (November 15, 2012)

Hogan Lovells’ Christopher Wolf reports for The Privacy Advisor on the recent gathering of privacy authorities and professionals at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay. While Article 29 Working Party Chair Jacob Kohnstamm announced that future conferences will consist of private meetings between data protection authorities unless the conference’s host country decides otherwise, Wolf says the conference’s public sessions are very useful, including the “informal interactions in the hallways and at meals among the public and official participants.” The conference saw discussions about APEC’s Cross-Border Privacy Rules, self-regulation versus formal regulations and the proposed EU Data Protection Regulation, among other topics.
Full Story

ONLINE PRIVACY—U.S.

Customer Education Key to Smart Grid Deployment (November 15, 2012)

FierceSmartGrid reports on various utilities’ move toward the smart grid. Those who have had successful transitions involved consumers from the beginning of implementation. A California company, for example, faced customer backlash in the form of a class-action lawsuit after deploying one of the largest smart grids in the U.S. without first warning customers, the report states, and Naperville, Illinois, is facing a federal lawsuit over privacy concerns despite its early consumer outreach program. By contrast, Florida Power & Light experienced success with a customer dashboard allowing customers to view and control their energy consumption and cost. “Clearly, customer involvement and consumer education are key” in smart grid deployment, the report states. Editor’s Note: For more on how to effectively deploy a smart grid program, see “Amidst fledgling smart grid safeguards, utilities self-regulate and an expert offers a how-to” from September’s edition of The Privacy Advisor.
Full Story

ONLINE PRIVACY—U.S.

Investigation Underscores Privacy Issues (November 14, 2012)
A front page article in The New York Times reports on how the recent investigation of Gen. David Petraeus and Gen. John Allen “underscores a danger that civil libertarians have long warned about”—that government officials will “unavoidably invade the private lives of Americans” in order to investigate some crimes. Officials investigating a potential cyber stalking case came across “potentially inappropriate” e-mails and shared them with the Defense Department. Marc Rotenberg of the Electronic Privacy Information Center noted, “It’s a particular problem with cyber investigations—they rapidly become open-ended because there’s such a huge quantity of information available and it’s so easily searchable.” (Registration may be required to access this story.)

CONSUMER PRIVACY—U.S.

Leibowitz: FTC Moving Forward on COPPA, DNT (November 14, 2012)

Federal Trade Commission (FTC) Chairman Jon Leibowitz says the agency is continuing its efforts on both Do Not Track (DNT) and updates to the Children’s Online Privacy Protection Act (COPPA). At The Wall Street Journal's annual CEO Conference in Washington, DC, Leibowitz said COPPA updates would likely be finished by the end of this year, but Reuters reports he was less sure of a completion date for DNT efforts. "We continue to be optimistic. It's not a certainty, though," Leibowitz said.
Full Story

ONLINE PRIVACY

Government Requests for Online Data Increase (November 14, 2012)

Google has released its sixth Transparency Report since 2009 outlining requests from government agencies and others to access data and remove content. BBC News reports that in the first six months of 2012, governments across the globe have made almost 21,000 requests to access data held by Google. The U.S. government made the most requests, totaling 7,969, with Turkey leading the requests for content removal at 501 requests. "This is the sixth time we've released this data, and one trend has become clear: Government surveillance is on the rise," Google said in a blog post. "Our hope is that over time, more data will bolster public debate about how we can best keep the Internet free and open."
Full Story

PRIVACY LAW—EU

Member States Grapple With Proposed Regulation (November 14, 2012)

The UK remains opposed to a single data protection regime across member states, Out-Law.com reports, and is joined in its resistance by Denmark, Slovenia, Belgium, Hungary and Sweden. The countries plan to back a new data protection directive, while Bulgaria, Germany, Spain, the Netherlands, Luxembourg, France, Italy, Greece and Ireland have indicated support for a new regulation instead. UK Justice Minister Helen Grant said, “I believe that the proposed EU data protection legislation is too prescriptive, which is why I am pushing for legislation that is less burdensome—providing protection without stifling growth and innovation.”
Full Story

PRIVACY LAW—U.S.

Supreme Court Rules Against Credit Card Suit (November 14, 2012)

Reuters reports on a Supreme Court ruling that “customers who receive receipts from the federal government that contain confidential credit card information may not be able to sue for damages.” The unanimous decision means the government will not lose its immunity in lawsuits seeking damages under the Fair Credit Reporting Act (FCRA). The case stems from a Chicago lawyer's credit card transaction for a federal court filing fee, the receipts for which allegedly contained his credit card’s expiration date. The suit claimed the government violated FCRA provisions protecting credit card users from identity theft.
Full Story

BEHAVIORAL TARGETING

Study Examines Marketing and Privacy (November 14, 2012)

The Edelman Privacy Risk Index, produced with The Ponemon Institute, has found that 60 percent of 6,400 marketing executives from 20 countries believe “their companies don't consider privacy a priority, and more than half don't believe that a data breach would adversely affect their corporate reputations,” Direct Marketing News reports. Edelman found, however, that “eight in 10 consumers would leave banking institutions that accessed their personal information without permission,” the report states. Larry Ponemon, CIPP/US, suggests that while most direct marketers do respect privacy, marketers should identify their customers who are most concerned about privacy “and make it very easy for them to opt in or out of communications.”
Full Story

SOCIAL NETWORKING—U.S.

DHS Says Monitoring Complies with Federal Law (November 14, 2012)

The recent U.S. Department of Homeland Security (DHS) compliance review says that pilot programs that monitor social networks for suspicious activity continue to be “in compliance with the privacy requirements identified in the January 2011 PIA Update and the February 2011 SORN (Privacy Act System of Records Act Notice).” However, GSN: Government Security News reports that the Electronic Privacy Information Center says it will continue efforts to stop the programs, noting the DHS review “found that the DHS social media monitoring program complied with the DHS's own privacy requirements.” The DHS says this monitoring helps it get a broader view on reports of events that may affect homeland security.
Full Story

ONLINE PRIVACY—U.S.

Study: Cookie Use Up “Significantly” (November 13, 2012)
A study conducted by the Berkeley Center for Law and Technology has found that U.S. websites are tracking significantly more users than they were five months ago, reports The New York Times. The “Web Privacy Census” project conducts periodic web crawls and measures the number of cookies and other trackers on popular websites. On the top 100 sites compiled by Quantcast, the crawls in October revealed 6,485 cookies while in May there were 5,795. Chris Hoofnagle, co-author of the report, says he hopes the data will provide a baseline for empirical information, noting, “We are not going to be well-served unless we measure these trends more rigorously.” (Registration may be required to access this story.)

DATA PROTECTION—UK

“Loophole” May Allow Orgs To Dodge Breach Fines (November 13, 2012)

TechWeekEurope reports on a tactic some organizations have considered using in order to avoid data breach fines. The Information Commissioner’s Office (ICO) has promised not to fine companies for data breaches if the breach is discovered during a voluntary audit. As such, some organizations have considered asking the ICO for an audit after a breach has already been discovered internally, the report states. This sometimes requires organizations to delete a data trail ahead of the audit. “If we discover duplicity, that there was a breach that you knew about and didn’t report, then you’re in deep trouble,” said Information Commissioner Christopher Graham. “There are no games to be played.”
Full Story

ONLINE PRIVACY—U.S.

Experts Opine on Challenges, Possible Solutions (November 13, 2012)

During last week’s privacy and technology symposium held by the Harvard Law Review, Jonathan Zittrain and Dan Solove spoke about the Internet’s effect on privacy and the challenges that come with trying to regulate it. FierceGovernmentIT reports that Solove spoke to the current model he calls the "privacy self-management approach," saying it has “cognitive and structural” problems. Zittrain discussed challenges stemming from peer-to-peer sites and discussed the complications the Fourth Amendment introduces to possible regulation. Both experts offer possible solutions; Solove highlights an increased focus on downstream data use, while Zittrain focuses on the ability to qualify or delete personal information online.
Full Story

HEALTHCARE PRIVACY—U.S.

Hospitals Mine Data To Communicate with Patients (November 13, 2012)

The Columbus Dispatch reports on Ohio hospitals’ data-mining practices for targeted advertising. OhioHealth and Mount Carmel Health System “routinely mine health data from their patients’ records to decide who should receive certain mailings,” the report states. While OhioHealth uses data to message patients with diabetes or heart conditions, Mount Carmel uses the data to send reminders about routine procedures. Both organizations say their tactics comply with privacy laws and data is encrypted. Twenty-five percent of U.S. hospitals use similar techniques. Some patients don’t mind; a recent survey of cancer patients found almost 60 percent said they were willing to share de-identified data for research purposes.
Full Story

DATA LOSS—U.S.

Court’s Decision May Mean Increased Litigation (November 13, 2012)

In an exclusive for The Privacy Advisor, David Governo and Corey Dennis, CIPP/US, examine the case of Resnick v. AvMed and the 11th Circuit Court of Appeals’ decision “that the plaintiffs’ allegations of injury and causation were sufficient to withstand a motion to dismiss where they suffered identity theft” due to an AvMed data breach. The authors suggest the court’s decision “may lead to an uptick in data breach litigation.”
Full Story

PRIVACY LAW—UAE

Privacy Protections Included in Cybercrime Law (November 13, 2012)

The UAE has implemented “the most detailed and comprehensive cybercrime law” in the region, with the extension of “legal privacy protection to personal information online, including credit card and bank account details and electronic payment methods,” The National reports. The new law is based on a 2006 decree, and one expert notes it “has managed to encompass everything needed to safeguard against the possible violations that can take place in this rapidly evolving technology.” Among its provisions, the law creates privacy offences for “eavesdropping and electronic publishing of information and photos, even if what is published is authentic,” the report states.
Full Story

DATA LOSS—U.S.

Suit Filed Against Gaming Site, Social Media Company Reports Breach (November 13, 2012)

Infosecurity reports on a class-action lawsuit filed against the creator of online games including “World of Warcraft” alleging its data security policies are for-profit and deceptive. Blizzard charges users $6.50 for its authenticator service, which creates dynamic passwords for game users to reduce their risk of getting hacked. Citing a recent data breach, the lawsuit states the company “failed to take the necessary measures to secure the private information of their customers.” Blizzard calls the suit “without merit.” Meanwhile, HootSuite is apologizing to users for a recent breach, and ModernHealthcare reports that large health records breaches are down this year.
Full Story

BIOMETRICS—U.S.

Exploring Vein Palm Identification Technology (November 12, 2012)
The New York Times reports on the increasing use of vein pattern recognition systems in medical centers. Hospitals are using the technology to improve convenience and efficiency, but, the report states, “members of the public are paying for that convenience with their privacy.” World Privacy Forum Executive Director Pam Dixon said hospitals employing such technology “are leaping over profound security issues that they are actually introducing into their systems.” A representative from one medical center using the technology said they do not have “formal consent” from patients. Fordham University Law School Prof. Joel Reidenberg noted, “If they are not informing patients it is optional…then effectively, it is coerced consent.” (Registration may be required to access this story.)

CONSUMER PRIVACY—U.S.

FTC Settles Charges Over Alleged Improper Record Disposal (November 12, 2012)

The Federal Trade Commission (FTC) has settled charges against PLS Financial Services, Inc., and The Payday Loan Store of Illinois, reports Hunton & Williams’ Privacy and Information Security Law Blog. The FTC complaint said the companies violated the FTC’s Disposal Rule and the Gramm-Leach-Bliley Act’s Privacy Rule and Safeguards Rule in their disposal of customer records, which included Social Security numbers and bank information. The records were placed in dumpsters near the retail stores. The companies will pay $101,500, implement information-security programs to be monitored for 20 years and “are enjoined from any future violations” of the Disposal, Privacy and Safeguards rule, the report states.
Full Story

PERSONAL PRIVACY—UK

Minister: Consumer Privacy at Heart of Smart Metering Program (November 12, 2012)

Energy Minister Baroness Verma, responsible for overseeing smart metering, says the government is committed to prioritizing consumer protection and privacy, Out-Law.com reports. According to Verma, the national program will only work if consumers are given a choice about who has access to their data and how it may be used. Smart meter technology, which allows real-time digitized data flows about energy usage, is expected to be in use by 2014. Some 55 million meters are expected to be installed at UK households and businesses by 2019. The UK government is taking a “secure-by-design” approach to the program, Verma said.
Full Story

PRIVACY LAW—U.S.

Class Fighting Google’s Motion To Dismiss (November 12, 2012)

Plaintiffs in a class-action lawsuit alleging Google’s practice of intercepting and scanning e-mails between Gmail and non-Gmail users is in violation of the California Invasion of Privacy Act are opposing Google’s motion to dismiss the case, reports Courthouse News Service. While Google’s dismissal states, among other arguments, that courts have recognized “no one can reasonably expect” e-mails to be “free from the automated processing that is normally associated with delivering e-mails," the opposition says Google is “reading, learning and recording content and meaning from private communications—something no court has addressed to date." U.S. District Court Judge Lucy Koh will hear the case in March.
Full Story

GENETIC PRIVACY

Consumer Genomics Firm Opens API to Mobile Developers (November 12, 2012)

Wired reports on a consumer genomics company’s plans to let mobile applications interact with its data—a move that “could usher genetics into the mobile age.” 23andMe has received more than 200 applications from developers; some interested in integrating genetic data with electronic health records to aid researchers and others in building consumer-health related products, the report states. The company’s director of engineering said its open application programming interface could work like “an operating system for your genome, a way that you can authorize what happens with your genome online.” Some worry that as genetic sharing becomes more common, third-party access to an individual’s unique biometric data could compromise their privacy. 
Full Story

ONLINE PRIVACY—EU

ICO, Facebook Call for Changes to Proposed Law (November 9, 2012)
ComputerWeekly reports that UK Information Commissioner Christopher Graham has voiced concerns over the proposed EU Data protection framework, calling for stakeholders to “help negotiate something that is relevant to the 21st century.” Graham said the proposals “demand that data protection authorities must impose fines…leaving no room for regulators to exercise discretion,” adding, that would force regulators to “pick and choose,” leading to inconsistencies across Europe. Meanwhile, Facebook is lobbying the European Commission for changes in the proposals—particularly to the “right to be forgotten,” which it says “raises many concerns with regard to the right of others to remember and to freedom of expression.” These comments build on concerns voiced recently by industry experts.

GENETIC PRIVACY—U.S.

Supreme Court Justices To Discuss DNA Case (November 9, 2012)

The Supreme Court will meet privately today to discuss if it will hear a case on whether authorities may take DNA samples from anybody arrested for a serious crime, Wired reports. The issue stems from a Maryland case in which the court ruled it is unconstitutional to take a DNA sample from a criminal suspect who has not been convicted. Prosecutors argued the saliva swab taken is no more intrusive than a fingerprint, but the Maryland court disagreed, saying a fingerprint reveals solely a person’s identity while saliva can reveal many more genetic details. At least 21 states and the federal government require suspects to give a DNA sample upon arrest, the report states.
Full Story

PRIVACY LAW—U.S.

Lawmakers Call for Data-Mining Transparency (November 9, 2012)

A group of lawmakers is calling for data-mining companies to make their operations more transparent, The Washington Post reports. Led by Reps. Edward Markey (D-MA) and Joe Barton (R-TX), the Congressional Bi-Partisan Privacy Caucus has released responses to letters sent in July to nine companies seeking information about their data collection, use and sales to third parties. The lawmakers say the responses “offer only a glimpse of the practices of an industry that has operated in the shadows for years,” adding they hope to work with industry on transparency and, until then, will “push for whatever steps are necessary” to give Americans control over their data. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Opinion: For Millennials, Privacy Is Thriving (November 9, 2012)

“Despite the perception that my generation is reckless on the Internet with social media,” writes Matt Miller in a column for Forbes, “there is a heightened anxiety as we grow up to keep things that might harm our chances of getting a job or getting into a school to ourselves.” Social media sites like Sgrouples claim to not track or spy on users, the report states, and according to its CEO, 20-somethings “are way more concerned about privacy than people think.” Miller says “young people and the web are maturing,” and adds, “I view my generation as the test subject or the case study for growing up on social media.”
Full Story

EMPLOYEE PRIVACY—CANADA

Exploring Workplace Privacy Expectations (November 9, 2012)

In a report for MACLEANS.CA, Jesse Brown explores the implications of a recent Supreme Court of Canada ruling on employee privacy rights. Brown points out that Canadians can now “expect some degree of privacy when using workplace computer gear” but notes that employers can still legally check an employee’s browser history on work devices. “The court’s point,” Brown writes, “is that each case must be considered individually and that privacy is not something that Canadians automatically and completely surrender just by showing up to work.” The case is expected to be cited in many future lawsuits, he adds.
Full Story

MOBILE PRIVACY—U.S.

Experts Anticipate Privacy and Security Challenges in 2013 (November 9, 2012)

Industry experts say privacy and cybersecurity will be among the top issues facing the mobile industry in 2013, NationalJournal reports. At an event this week, Jim Kohlenberger, former chief of staff at the Office of Science and Technology Policy, said, “I think the president is focused on moving this economic engine, this dynamo forward,” adding, “we’ve got big things we need to do…We have to solve important privacy and security challenges.” Another expert said there is “a lot of consumer behavior that is shifting around consumer privacy, and I think it is a fundamental challenge for us as an industry to make sure we come up with the right path forward.”
Full Story

PRIVACY LAW—U.S.

Privacy Implications of the Election Results (November 8, 2012)
Tuesday’s election results could “breathe new life” into a Do-Not-Track agenda, MediaPost reports. The Commerce Department is expected to push its privacy codes of conduct, and Sen. Jay Rockefeller (D-WV) is expected to continue seeking Do-Not-Track legislation. CNET News reports on privacy tests that will face President Barack Obama in his second term, including “the unenviable task of refereeing a series of disputes between privacy advocates and law enforcement officials who are hoping to expand their Internet surveillance powers.” NationalJournal examines leadership changes in the House of Representatives that may have an effect on technology issues going forward, while IDG News Service notes that “policy experts see little movement forward” on existing technology debates—including cybersecurity.

ONLINE PRIVACY

Google Releases Chrome with Improved Privacy Controls (November 8, 2012)

Google has updated its browser to Chrome 23, which includes easier access to privacy controls such as the ability to delete cookies and block sites from tracking users online, reports Webmonkey. “The new drop-down menu also has options to control a website’s permissions for features like geolocation, pop-ups, plugins, fullscreen mode, camera/microphone access and more,” the report states. While these features have been available on past versions of Chrome, the interface has been moved from three levels deep to a drop-down menu next to the URL. Chrome is the last browser to provide support for Do Not Track, and like many others, it is activated on an opt-in basis, the report states.
Full Story

ONLINE PRIVACY—CANADA

Police Chief, Commissioners Disagree on Bill C-30 (November 8, 2012)

Federal and provincial privacy commissioners have responded to a police chief’s column backing the Protecting Children from Internet Predators Act, or Bill C-30. Vancouver Police Department Chief Constable Jim Chu argues the bill will both respect privacy and improve Canadians’ safety. In response, Federal Privacy Commissioner Jennifer Stoddart said the bill “must be amended to respect privacy rights.” Provincial privacy commissioners from Alberta, British Columbia and Ontario also wrote a joint response to Chu’s column. They wrote, “New surveillance powers must not come at the expense of our right to privacy.” Meanwhile, a columnist opines that the newly proposed Safeguarding Canadians’ Personal Information Act will erode online privacy.
Full Story

CLOUD COMPUTING—U.S.

Court To Hear Case on Cloud Users’ Data (November 8, 2012)

Wired reports on a lawsuit filed against the U.S. government in the Megaupload case, which “could set a precedent for cloud users in general.” A Virginia federal court will hear the case involving the government’s shutdown of Megaupload, an online file-hosting service, for alleged copyright infringement. At present, there is no mechanism in place for former users to retrieve their files. A spokeswoman for the Electronic Frontier Foundation, which is representing the suit’s plaintiff, says the privacy of Megaupload’s 60 million users is in jeopardy, adding, “These are new issues. More and more people are using cloud technology every day.”
Full Story

PRIVACY LAW—CANADA

Privacy Commissioner: Union Accountability Bill “Highly Disproportionate” (November 8, 2012)

Privacy Commissioner Jennifer Stoddart has told a parliamentary committee that despite amendments to Bill C-377, it raises “serious privacy concerns,” Toronto Sun reports. The bill aims to achieve greater accountability from unions on budgets, executive salaries and political activities, among other topics. Stoddart said the bill would require names, salaries and other financial details to be disclosed, calling such action a “significant privacy intrusion” that “seems highly disproportionate.” Meanwhile, the Supreme Court of Canada has granted leave to appeal in a case involving union picketers that would clarify the application of Alberta’s Personal Information Protection Act.
Full Story

ONLINE PRIVACY

App Developers Overlooking Privacy (November 8, 2012)

App developers may be overlooking established rules around privacy, Financial Post reports. A September report by the Pew Research Center found that more than half of app users have decided not to install or have uninstalled an app when they realized the personal information it would collect. Canadian privacy commissioners recently released guidance for app developers predicting “increased scrutiny” of apps’ privacy policies moving forward. “It is very difficult for startups to navigate around privacy rules,” said one expert. “I think a lot of startups end up not worrying about it, in the idea that they will have to deal with it if they become as successful as Facebook.”
Full Story

ONLINE PRIVACY—THE NETHERLANDS

Police Indicate Company Shared Data (November 8, 2012)

During a police investigation into a cyberattack on PayPal, voice-over-Internet company Skype allegedly handed over the personal information of a 16-year-old customer to an IT firm, NU.nl reports. PayPal reportedly hired Dutch IT security firm iSIGHT to investigate the cyberattack, during which a 16-year-old boy’s pseudonym was discovered. Police notes indicate that Skype, another of iSIGHT’s clients, complied when iSIGHT asked for the boy’s account data. While Skype allegedly shared the data voluntarily, a court order would generally be required, the report states. A spokesman for Skype said, “It is our policy not to provide customer data unless we are served with valid request from legal authorities.”
Full Story

DATA PROTECTION—UK

ICO Fines Private-Sector Firm for Data Inaccuracies (November 7, 2012)
The Information Commissioner’s Office (ICO) has issued a £50,000 fine to the Prudential Assurance Company Limited for a database error that caused an individual’s retirement funds to be placed into another individual’s account, V3.co.uk reports. According to an ICO press release , the move is “a warning to the financial sector” and “the first monetary penalty served by the ICO that doesn’t relate to a significant data loss.” ICO Head of Enforcement Stephen Eckersley said, “We hope this penalty sends a message to all organizations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate.” Prudential has apologized and compensated the affected individuals.

DATA RETENTION—GERMANY

Court Examines Retention Law’s Constitutionality (November 7, 2012)

Germany’s highest court is looking at the country’s anti-terror law to examine its constitutionality, Deutsche Welle reports. Judges at Germany’s Constitutional Court this week noted concerns about the data retention law, passed in 2006, that allows intelligence agencies to collect and store information about terror suspects and their supporters in a database. Thirty-eight agencies have access to the database, which stores names, birth dates, addresses, religious preferences and bank and telecommunication accounts, the report states. One judge noted concerns around the vague definition of “supporters” of violence and a clause allowing for data collection on “supporters of supporters.”
Full Story

DATA LOSS—AUSTRALIA

Restaurant Reports Website Hack (November 7, 2012)

Pizza Hut Australia has confirmed a layer of its website has been hacked, Gizmodo reports. The company’s general manager says it has notified the Office of the Australian Privacy Commissioner and is working with its website provider to conduct an investigation. Despite hackers’ claims in a message to Pizza Hut that they took 240,000 Australian customers’ credit cards, the company says “absolutely no credit card information was stolen and there is no need for concern regarding credit cards.” The report states that, per PCI-DSS rules, credit card numbers were sent to a third party to process and store transactions.
Full Story

PRIVACY LAW—U.S.

Analyzing FTC v. Wyndham (November 7, 2012)

In a Q&A for Inside1to1:PRIVACY, Morrison & Foerster’s D. Reed Freeman, CIPP/US, analyzes the implications of Federal Trade Commission v. Wyndham Worldwide Corporation, “specifically, the Count II ‘unfairness’ claim—and Wyndham’s motion to dismiss.” Wyndham’s assertion that the FTC has assumed authority not given by Congress to regulate data security “is essentially right,” said Freeman. “Wyndham argues that Congress has enacted a number of data security laws applicable to specific sectors but that it has failed to enact a general substantive data security law, and therefore, according to Wyndham, Congress has delegated to itself the authority to create data security laws and has not left it to the FTC to fill in the gaps, especially using its unfairness authority.”
Full Story

PERSONAL PRIVACY

Opinion: Technology Creates Need for New Privacy Rights (November 7, 2012)

In a column for Slate, Evan Selinger discusses the work of University of Colorado Law School Prof. Harry Surden on why certain transaction cost-reducing technologies are taking down traditional barriers to personal privacy. “Accordingly,” writes Selinger, “we need to reassess how we think about our privacy rights and what personal information should be included in that class.” RFID tags are one such example of how traditional privacy barriers can be removed, the report states, as they can reveal items thrown in the trash. Selinger explains, “Privacy advocates worry that if the tags are active when items get thrown away, ‘a criminal or marketer could scan your garbage’ to see what you purchased.”
Full Story

CHILDREN’S PRIVACY—U.S.

Companies Object to Proposed COPPA Changes (November 6, 2012)
The New York Times reports on the opposition to Federal Trade Commission (FTC) efforts to update the Children’s Online Privacy Protection Act (COPPA) to increase the types of data that require parental permission prior to collection, citing concerns that COPPA “has not kept pace with advances like online behavioral advertising,” the report states. Companies including Apple, Facebook, Google, Microsoft, Twitter, Viacom and Disney are among those raising concerns, the report states, with some contending the FTC’s “proposed rule changes seem so onerous that, rather than enhance online protections for children, they threaten to deter companies from offering children's websites and services altogether.” (Registration may be required to access this story.)

ONLINE PRIVACY—U.S.

Experts: DNT at a Standstill (November 6, 2012)

Nine months after advertisers, privacy advocates and government officials announced the launch of an agreement to allow online users to opt out of tracking, The Hill reports that little headway has been made in the effort to implement Do Not Track (DNT). The report cites comments from the Interactive Advertising Bureau’s Mike Zaneis that stakeholders are “not really any closer to an agreement” on the creation of a DNT feature and from Stanford University’s Jonathan Mayer that negotiations have come to a “standstill.” The report also references recent comments by FTC Chairman Jon Leibowitz suggesting the advertising industry has backed away from its pledge.
Full Story

DATA LOSS—U.S.

Tax Breach Raises Concerns for States (November 6, 2012)

The theft of 3.6 million Social Security numbers and 387,000 credit card numbers from the South Carolina Department of Revenue is putting state tax departments across the country on guard, The New York Times reports. National Federation of Tax Administrators Deputy Director Verenda Smith said, “When one employee’s laptop gets stolen, it’s a big deal…So you can imagine the reverberations when this news came out.” Privacy Rights Clearinghouse Director Beth Givens said this event “appears to be in a league of its own,” and former state senator John Hawkins has filed a lawsuit against the state. “Obviously these hackers picked South Carolina because it was vulnerable,” he said. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—U.S.

Researchers: Smart Meter Data Could Put Privacy at Risk (November 6, 2012)

A study at the University of South Carolina (USC) has found that smart meters transmit unencrypted information that could put home owners’ privacy at risk, IDG News Service reports. Researchers say the right software could help determine whether a resident is at home at any particular time. These particular smart meters are currently installed at one-third of U.S. homes and businesses. Some transmit meter readings upon request, while others transmit readings every 30 seconds. Researchers at USC used software to capture smart meter data from up to 300 meters away, which they then processed and reverse-engineered to find that the data was sent in plain text and contained meters’ identification numbers.
Full Story

HEALTHCARE PRIVACY—U.S.

Pediatricians Call For Reforms in Adolescent Privacy Rules (November 6, 2012)

The American Academy of Pediatrics (AAP) says electronic health record technology should be “retooled to protect the medical privacy of adolescent patients,” FierceEMR reports. A lack of standards on adolescent privacy has left states to determine ways to share such data without violating patient privacy. In a policy statement, the AAP suggests developing criteria for adolescents’ electronic health records (EHRs) that determine access and control standards and comply with state and federal rules as well as developing criteria and EHRs that allow adolescents to “record consent for care and treatment as well as explicit consent” for release of their medical data, among other recommendations.
Full Story

PRIVACY LAW—U.S.

Assessing Risk: Data Breach Litigation in U.S. Courts (November 6, 2012)

In this exclusive for The Privacy Advisor, Arnall Golden Gregory’s Kim Phan writes, “Companies may want to assess the level of risk posed by the possibility of litigation when determining how to respond to a data breach.” Phan explores specific factors that can help determine the likelihood of litigation following a breach. “Until recently, consumer plaintiffs have met with very little success in the courtroom, but this could change as the general public becomes increasingly aware that companies are maintaining detailed information about their customers,” writes Phan, adding, “Courts may soon recognize that an individual consumer has a reasonable expectation that such information should be protected and that a data breach violates that expectation.”
Full Story

PRIVACY LAW—U.S.

Apple To Fight Song-Beverly Lawsuit (November 5, 2012)
The California Supreme Court will hear a high-stakes case Wednesday on the amount of personal information online retailers may collect during consumer transactions. Apple will fight a class-action lawsuit arguing that California’s Song-Beverly Credit Card Act, which restricts the amount of personal information consumers must provide to make a purchase, applies only to brick-and-mortar businesses. Online retailers say their data collection prevents credit card theft and identity fraud, while privacy advocates say the law applies to any credit card commerce, Mercury News reports. "This case is an early warning sign about what we're going to be seeing," said Pam Dixon of the World Privacy Forum, adding, a balance must be found between consumer protection and overcollection.

ONLINE PRIVACY—U.S.

FTC To Be Patient With Industry DNT Developments (November 5, 2012)

The Federal Trade Commission (FTC) has said it supports the current multistakeholder approach to developing Do-Not-Track (DNT) standards and will give the process time before calling for a legislative solution, POLITICO reports. FTC Chairman Jon Liebowitz said, “If by the end of the year or early next year, we haven’t seen a real Do-Not-Track option for consumers, I suspect the commission will go back and think about whether we want to endorse legislation.” Meanwhile, NationalJournal reports on speculation over who may lead the FTC upon the potential departure of Leibowitz. Though he has not publicly confirmed plans to leave his current post, recent reports have indicated such a move is likely.
Full Story

ONLINE PRIVACY—U.S.

Yahoo Asks for Dismissal of Privacy-Invasion Suit (November 5, 2012)

Courthouse News Service reports that Yahoo has asked a federal judge to dismiss a class-action lawsuit claiming the company intentionally intercepts, reads and records e-mails prior to passing them along to users. According to the complaint, the alleged practice is a violation of the California Invasion of Privacy Act (CIPA). The case parallels complaints filed against Google for similar practices. An attorney representing plaintiffs in cases against both companies said, “It’s exactly the same thing. The case involves allegations Google is intercepting e-mails to Gmail users before their delivery,” adding, “They are mining information so they can deliver targeted ads to their users. Yahoo disputes they are doing what Google is doing.” Yahoo has said CIPA does not address e-mail communications.
Full Story

PRIVACY LAW—U.S.

Data Access Case Settlements Top $1 Million (November 5, 2012)

Minneapolis StarTribune reports the city of Minneapolis will pay $392,000 to a woman for a privacy violation. Anne Rasmusson, a former police officer, sued 16 Minnesota jurisdictions alleging an estimated 140 employees accessed her driver’s license data. Minneapolis’ City Council approved the payout after considering the potential costs of the suit, including “staff time, police time and the risk of paying attorneys’ fees” in addition to federal statutes on damages. A spokesman for Minneapolis police said the department has tightened its data access controls following the case. Rasmusson’s settlements over the breaches now total more than $1 million.
Full Story

PERSONAL PRIVACY—U.S.

Library Digitization Puts Data Sharing in Tension with Privacy (November 5, 2012)

The Chronicle of Higher Education explores the increased use of digital services by libraries and the corresponding privacy concerns that arise. Libraries have traditionally protected patrons’ privacy but are increasingly expanding digital services for recommending, sharing and discovering books. University of Wisconsin at Milwaukee School of Information Studies Assistant Prof. Michael Zimmer has said libraries will need to “tap into and encourage increased flows of personal information from their patrons,” but they face “a Faustian bargain.” Zimmer writes that librarians may decide “the benefits of these advanced data-based services outweigh the traditional protection of patron privacy.”
Full Story

DATA PROTECTION—U.S.

OIG Report Critical of VA Research Data Exchanges (November 5, 2012)

The Office of the Inspector General (OIG) has said the Department of Veterans Affairs (VA) is not exercising adequate precautions in protecting sensitive health information that is shared with researchers, GovInfoSecurity reports. In the 57-page report, the OIG writes, “the VA could not readily account for the various systems linkages and sharing arrangements with researcher partners” and could not provide an accurate research data exchange inventory, where information was hosted or data sensitivity levels. The OIG recommends the VA create and institute a centralized data governance and storage model. The VA said that plan “would take considerable human and monetary resources,” the report states. Another recent OIG report found veterans’ data was “at risk due to unencrypted computers.”
Full Story

SOCIAL NETWORKING

Facebook Releases Privacy Tool for New Users (November 5, 2012)

The Washington Post reports on Facebook’s rollout of a tool for new users. The tool, which is in part a result of talks with the Irish data protection authority (DPA) following its audits of the company, “gives users specific instructions on Facebook’s default settings, sharing permissions, policies on data access, rules about apps, games and third-party websites, advertisements, photo tags and the way the site finds fiends and connections for new users,” the report states. Facebook Chief Privacy Officer Erin Egan said in a statement that the company is committed to helping users understand their online sharing options and thanked the Irish DPA for its work. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Presidential Campaign Sites Allegedly Leaking PII (November 2, 2012)
The New York Times reports on a study by computer science student Jonathan Mayer alleging that both the Obama and Romney campaign websites are leaking visitor data to third-party trackers. One website includes users’ personal data in the URL or at the top of the page, Mayer reports, and the information leaked to third parties variously includes username, registered proper name, street address and ZIP code. The other website reportedly includes the user’s name in the page title and features a unique ID number in the URL. “Are the campaigns identifying their supporters to third-party trackers? Are they directly undermining the anonymity properties that they are so quick to invoke?” queried Mayer, suggesting, “Yes, they are.” (Registration may be required to access this story.)

DATA RETENTION—AUSTRALIA

MPs Urging URL Exclusion in Telecom Proposal (November 2, 2012)

Officials from the Australian Attorney General’s Department appeared before the Joint Committee on Intelligence and Security to hash out proposed changes to telecommunications interception legislation. ZDNet reports that AG Department Secretary Roger Wilkins said the data retention portion of the proposal could be altered to specifically exclude web browsing history from “non-content data.” Wilkins said URLs would be classified as content data, requiring a warrant from law enforcement. “In characterizing what (telecommunications companies) are obliged to do, we could say, ‘This does not include web-browsing material.’ They are not obliged to do that, and certainly, the more critical thing is that law enforcement agencies basically cannot authorize access to that,” Wilkins said.
Full Story

DATA LOSS—U.S.

PII Exposed on University Website (November 2, 2012)

The personal information of as many as 2,000 individuals was exposed for five days on a Cornell University website, The Cornell Daily Sun reports. A file server in the school’s athletics department contained “confidential data” and was accessible to the public. A university information systems director said, “We don’t know if the data was breached…I just know that we went through and identified people by name and Social Security number and notified them.”
Full Story

PRIVACY

Expert Discusses Companies’ Breach Preparedness (November 2, 2012)

Companies frequently wait until they’ve been hacked to seek counsel about their data security, one expert says. Bloomberg Law spoke with Hunton & Williams’ Lisa Sotto, CIPP/US, on Barnes & Noble’s recent data breach in which 63 stores were hacked for customer payment card data, inciting a lawsuit. “In most cases, companies are not doing anything wrong,” Sotto said. “These types of events are highly sophisticated, highly orchestrated…and the criminals who are doing this are creative and highly motivated.” Sotto advises her clients to “impose structure on their information security system” and be sure employees receive sufficient training. Small, manageable breaches have a silver lining, she said, because it prompts companies to take action.
Full Story

ONLINE PRIVACY—CANADA

Stoddart Pleased with Sites’ Progress on Compliance (November 2, 2012)

Canadian Privacy Commissioner Jennifer Stoddart says she’s pleased with the progress made by organizations flagged as raising privacy concerns, ITBusiness.ca reports. In September, Stoddart said some leading Canadian websites were inappropriately sharing users’ personal information with third parties. After investigating 25 shopping, travel and media sites, Stoddart wrote to 11 of them asking for changes in order to comply with Canadian privacy law. A Stoddart spokesperson said she’s “pleased that they appear to be taking this issue very seriously,” and the office is now analyzing their responses for continued discussions.
Full Story

PRIVACY LAW—EU

Justice Committee Calls for Changes in Draft Data Protection Proposals (November 1, 2012)

The Justice Select Committee has said the European Data Protection proposals “need to go back to the drawing board,” Parliament.uk reports. The committee says in a new report that the updates to data protection laws are “too prescriptive” and don’t allow necessary flexibility for data protection authorities or organizations that retain personal data. The proposals should focus on the commission’s objectives while compliance should be monitored by member states, the committee suggests. The committee noted its support for the draft law’s provisions that would give individuals increased control of their data, allow for data erasure or removal and harmonize laws across regions.
Full Story

PRIVACY LAW—EU

Justice Committee Calls for Changes in Draft Data Protection Proposals (November 1, 2012)
The Justice Select Committee has said the European Data Protection proposals “need to go back to the drawing board,” Parliament.uk reports. The committee says in a new report that the updates to data protection laws are “too prescriptive” and don’t allow necessary flexibility for data protection authorities or organizations that retain personal data. The proposals should focus on the commission’s objectives while compliance should be monitored by member states, the committee suggests. The committee noted its support for the draft law’s provisions that would give individuals increased control of their data, allow for data erasure or removal and harmonize laws across regions.

DATA LOSS—U.S.

State Tax Department Breach Incites Lawsuit (November 1, 2012)

FOX Carolina 21 reports on the fallout from a breach at South Carolina’s state tax agency affecting 3.6 million individuals’ Social Security numbers. A law firm has filed a class-action lawsuit against both the state’s governor and the Department of Revenue (DOR) alleging they failed “to protect the citizens of South Carolina” and violated the state’s breach disclosure laws. The governor said the fact that the information wasn’t encrypted isn’t an anomaly. “It’s not just that this was a DOR situation but an industry situation,” she said. The Washington Post reports the breach may be the “largest cyber-attack against a state tax department in the nation’s history.”
Full Story

DATA PROTECTION—EU & URUGUAY

Council of Europe Promoting Latin American Data Protection (November 1, 2012)

The Council of Europe is encouraging non-EU member states to ratify Convention 108—the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, MercoPress reports. Uruguay, which recently hosted an international privacy conference, has initiated the ratification process, possibly becoming the first non-Council of Europe member state to do so, the report states. Council of Europe’s Jörg Polakiewicz said, “The eventual accession of Uruguay will be a key step towards the global promotion of the convention and intergovernmental cooperation on personal data protection,” adding, “We are sure, hopefully, that Uruguay will be the first of many non-European countries to join the treaty.”
Full Story

PRIVACY LAW—PAKISTAN

Law Must Balance Security with Individuals’ Rights (November 1, 2012)

Responding to criticism over a new counterterrorism law, Sen. Raza Rabbani has said the law “must not be used to put the fundamental rights of people at stake,” The Express Tribune reports. The Fair Trial Act allows the state to intercept private communications, including e-mails, SMSs, phone calls and audio-visual recordings, in order to arrest suspected terrorists. The law has been tabled in the National Assembly. “We must strike a balance between adopting modern techniques of investigations and the fundamental rights of the people,” said Barrister Zafarullah Khan.
Full Story

ONLINE PRIVACY—EU

Advocate: Google Data Use Should Be in Antitrust Talks (November 1, 2012)

A European-based consumer rights group has said the European Union should consider Google’s access to personal data in its antitrust considerations, Businessweek reports. Consumer organization BEUC Director General Monique Goyens said in a letter to the EU’s antitrust chief that much of the company’s market advantage is “largely fueled by its access to users’ personal data.” Goyens added, “The privacy policy of Google is directly linked to its dominance in the online search and should therefore be considered as an aggravating factor in your analysis.”
Full Story

MOBILE PRIVACY

Study: Free Apps Present More Privacy Risks (November 1, 2012)

A new study reveals that free mobile apps are more likely to cause privacy and data security risks to users than paid apps, the San Jose Business Journal reports. According to a Jupiter Networks survey of 1.7 million Android apps, free mobile apps are 401 percent more likely to track location and 314 percent more likely to access users’ address books than paid apps. A Juniper representative said, “Companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information,” adding, “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust.”
Full Story