Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

SOCIAL NETWORKING

Company Reverses Privacy Policy Changes (December 21, 2012)
The New York Times reports on Instagram’s reversal of proposed changes to its privacy policy announced earlier this week. According to a blog post released Thursday night by Instagram Co-Founder Kevin Systrom, the company plans to revert to its previous terms of service. Systrom said, “Going forward, rather than obtain permission from you to introduce possible advertising products we have not yet developed, we are going to take the time to complete our plans, and then come back to our users and explain how we would like for our advertising business to work.” Systrom added, “I want to be really clear: Instagram has no intention of selling your photos, and we never did. We don’t own your photos--you do.” (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Senate Passes VPPA Amendment (December 21, 2012)

The U.S. Senate has passed revisions to the Video Privacy Protection Act to allow video streaming and rental firms to obtain user consent for the purposes of sharing data about their viewing preferences on social networking sites, CNET News reports. A Netflix spokesman said, "After the president signs the bill, we will introduce social features for our U.S. members in 2013."
Full Story

HEALTHCARE PRIVACY—U.S.

Report: CA Should Address HITECH Vision and Governance (December 21, 2012)

A new report from the California Healthcare Foundation says California needs to address “fundamental issues with vision and governance” as it implements the HITECH Act, FierceEMR reports. The report urges developing a statewide vision for HITECH implementation; streamlining and consolidating governance, and recruiting and retaining strong leadership to run the programs. California has received $353 million in Medicaid electronic health record (EHR) incentive payments. The report states, “Given the lack of tangible progress in expanding (health information exchange) capacity in California through federally funded programs…it is unclear how meaningful the widespread adoption of EHR will be.”
Full Story

CHILDREN’S PRIVACY—U.S.

COPPA Revisions Could Have Grim Implications for Small Apps (December 21, 2012)

The New York Times reports new COPPA rules may result in some small app developers pulling out of the children’s market altogether. Under COPPA’s original rules when it was enacted in 1998, website operators were required to obtain parental consent before collecting personal information from children under the age of 13. The updated rule applies also to social networks, advertising networks and other third parties and has “radically different implications for big websites and small app developers,” the report states. While some small app developers previously chose to comply by simply not collecting children’s data, those developers are now responsible for the third parties serving ads on their sites.
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Posts Site To Guide Agencies on Mobile Devices (December 21, 2012)

The U.S. Department of Health and Human Services (HHS) has created a website focusing on mobile devices and health information privacy and security, reports Adam Greene for David Wright Tremaine’s Privacy & Security Law Blog. The site includes videos on secure use of mobile devices, a process for addressing mobile devices at healthcare organizations and FAQs, the report states. The five-step process suggested to safeguard the use of mobile devices includes deciding on appropriate use, assessing risks, developing a risk management strategy, implementing policies and training employees.
Full Story

PRIVACY

2012 Privacy Trends Expected To Stick Around (December 21, 2012)

CNET News outlines security trends from 2012 that it expects will continue to play a major role in 2013. The trends include, the Internet as a government tool; more mobile devices, bigger targets; desktop threat, still a threat; privacy and data breaches, and holistic security. The report states, “Because of their very mobile, always-connected nature,” the problems with mobile devices “will become more complex in 2013.” It also highlights the rise in awareness of data mining and notes, “security problems may start in discretely different realms, but the nature of the Internet is making them more intertwined than ever before,” adding, “security is becoming an issue of ongoing education.”
Full Story

CHILDREN’S PRIVACY—U.S.

Industry: COPPA Changes Could Hamper Third-Party Relationships (December 20, 2012)
The New York Times reports on the FTC’s unveiling yesterday of final amendments to its COPPA rule. The revisions expand the types of companies that must gain parental consent to collect data from children under 13 and broaden the definition of “personal data” requiring parental consent before data collection can occur, among other changes. FTC Commissioner Maureen Ohlhausen voted against the new rules saying they exceed the scope of the FTC’s authority. Industry advocates say the new rules could discourage sites’ use of ad networks. “There might be overreaction that would limit just general third-party collection of data, which is very useful to businesses and consumers,” said Stuart Ingis of the Direct Marketing Association and the Association of National Advertisers. (Registration may be required to access this story.) Editor’s Note: The IAPP will host a web conference, “COPPA Update—A Close Look at the New Amendments” on January 10, from 1 - 2:30 p.m.

PRIVACY LAW—EU & NEW ZEALAND

NZ Privacy Act Receives EU Adequacy (December 20, 2012)

The European Commission has announced that New Zealand’s Privacy Act meets adequacy standards set forth in EU data protection law. New Zealand Privacy Commissioner Marie Shroff welcomed the news, saying, “The European decision is a vote of confidence in our privacy law and regulatory arrangements. This decision establishes New Zealand, in the eyes of our trading partners, as a safe place to process personal data.” According to a New Zealand Office of the Privacy Commissioner (OPC) press release, the agency has spent years working toward adequacy. OPC Assistant Commissioner Blair Stewart said, “Europe and New Zealand share a common commitment to upholding human rights.”
Full Story

HEALTHCARE PRIVACY—U.S.

OCR: Responsible Reactions to Breaches Help Entities Avoid Fines (December 20, 2012)

Government Health IT reports healthcare entities and business associates should prepare for new audits and monetary enforcement, says Leon Rodriguez of the Office for Civil Rights at the Department of Health and Human Services. He adds, however, healthcare entities that respond responsibly to data breaches most likely won’t face monetary punishment. In fiscal year 2012, the agency collected nearly $4 million—a record amount for the agency—though that number represents only about 10 cases. “One of the first things we look at is what did the entity do to analyze the root cause of the breach. (And) what did it do to remedy the root causes,” he says.
Full Story

DATA PROTECTION—U.S.

Bill Keeps Data Breach Requirement Provision (December 20, 2012)

A provision included in the House and Senate conference version of the fiscal 2013 national defense authorization act would require defense contractors to report data breaches to the Pentagon, FierceGovernmentIT reports. The defense secretary would assign a senior official to designate which contracts and networks would come under the reporting requirement, the report states. The bill, made public December 18, includes language similar to the original Senate proposal in prohibiting dissemination of information obtained via data breach disclosures without contractor approval. Critics say, however, that contractors may feel pressured to give consent for such information sharing. The bill would not cover Internet service providers or telecommunications companies except in certain cases.
Full Story

DATA RETENTION—AUSTRIA & EU

Court: EU Retention Rule Could Breach Law (December 20, 2012)

The Constitutional Court of Austria has asked the European Court of Justice to consider whether the EU Data Retention Directive contravenes fundamental EU law, IDG News Service reports. The rules requiring nations to retain large amounts of personal information for law enforcement purposes—including electronic communications and location data—may be an invasion of citizens’ privacy, said the Austrian court. Constitutional Court of Austria President Gerhart Holzinger noted, “We doubt that the EU Data Retention Directive is really compatible with the rights that are guaranteed by the EU Charter of Fundamental Rights.”
Full Story

PRIVACY LAW—U.S.

FTC Adopts Final COPPA Amendments (December 19, 2012)
The Federal Trade Commission (FTC) has announced its adoption of final amendments to the COPPA Rule, strengthening privacy protections for children online and giving parents greater control over the personal information websites may collect on them, The Washington Post reports. The amendments, the result of a 2010 initiative to update the rule in light of technological advances, include a modified definition of “personal information,” which now includes geolocation information; new ways of gaining parental consent, and the closure of a loophole that previously allowed third parties to collect personal information via plug-ins without parental consent. FTC Chairman Jon Leibowitz said the changes “empower parents to serve as their children’s gatekeepers to the online world.” The final rule will go into effect July 1, 2013. (Registration may be required for access to this story.)

BIG DATA—U.S.

Lawmakers, Data Firms Respond to FTC Probe (December 19, 2012)

The Federal Trade Commission’s (FTC) inquiry into the collection practices of data brokers has garnered praise from several lawmakers and has been welcomed by some of the companies involved. MediaPost reports Sen. Jay Rockefeller (D-WV) said consumers “deserve to know who is collecting information about them,” and Rep. Ed Markey (D-MA) said, “It’s critical to bring data brokers out from the shadows and shed light on this omnipresent industry.” Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, welcomed the opportunity. She wrote, “We consider this request as an avenue to promote a better understanding of why what we do is vital for the American economy as it creates enormous value for people and businesses while respecting and protecting consumers’ interests.”
Full Story

PRIVACY LAW—U.S.

House: Yes to VPPA, No to ECPA Amendments (December 19, 2012)

The U.S. House of Representatives has approved a measure to make it easier for consumers to share their video-viewing preferences online but did not back an e-mail privacy amendment that would require law enforcement to acquire a warrant prior to accessing electronic communications, CNET News reports. “We are pleased the House has moved to modernize the VPPA (Video Privacy Protection Act), giving consumers more freedom to share with friends when they want,” Netflix said in a statement. The American Civil Liberties Union’s Chris Calabrese criticized the House for not including the e-mail privacy amendment.
Full Story

DATA PROTECTION—EU

Proposals Would Require Breach Notification (December 19, 2012)

InformationWeek reports on proposals now circulating among the European Commission that would require European businesses providing critical infrastructure services to report data breaches to authorities. EU officials say the provision is necessary to remove the stigma associated with data breaches and to increase information sharing among such service providers. “We want to change the culture around cybersecurity from one where people are sometimes afraid or ashamed to admit a problem, to one where authorities and network owners are better able to work together to maximize security,” an EU official said.
Full Story

ONLINE PRIVACY

Users, Lawmaker React to Instagram Policy Changes (December 19, 2012)

The Washington Post reports on reactions following Instagram’s announcement that it would change its terms of use to share images uploaded to the site without permission or compensation. Many users indicated fears they might see their images used in advertisements created by Instagram or Facebook, which bought Instagram earlier this year. An Instagram spokesman said in a blog post yesterday, “To be clear: it is not our intention to sell your photos. We are working on updated language in the terms to make sure this is clear.” U.S. Rep Ed Markey (D-MA) said, “A picture is worth a thousand words; posting one to Instagram should not cost you your privacy.” (Registration may be required to access this story.)
Full Story

BIG DATA—U.S.

FTC Orders 9 Firms to Provide Collection Practices (December 18, 2012)
The Federal Trade Commission (FTC) has issued orders to nine data brokerage companies requiring them to provide the agency with information on how they collect and use consumer data. The agency wants details on the nature and sources of the data collected; how the data is used, maintained and disseminated, and whether data brokerage firms allow consumers access to and remediation of their personal data or to opt out of having their data collected. The agency plans to use the information to prepare a study and set forth recommendations “on whether, and how, the data broker industry could improve its privacy practices.”

MOBILE PRIVACY—U.S.

SpongeBob App Suspended Following Complaint (December 18, 2012)

Nickelodeon has temporarily removed its SpongeBob Diner Dash game from Apple’s iTunes app store after a complaint was filed against it with the Federal Trade Commission (FTC), CNET News reports. The Center for Digital Democracy (CDD) has filed a complaint alleging Nickelodeon and game-maker PlayFirst are inaccurately marketing the game and violating COPPA. The app collects users’ e-mail addresses without providing “notice to parents” or obtaining “prior parental consent, as required by the Children’s Online Privacy Protection Act,” according to the complaint. The CDD filed a similar complaint against mobile app “Mobbles” last week. Its developer pulled it offline in response. The FTC recently released a report expressing discontent with mobile apps’ treatment of children’s privacy.
Full Story

ONLINE PRIVACY

Scientist Develops “Identity Mixer” (December 18, 2012)

A lead scientist at IBM’s Zurich Research Center has developed an “Identity Mixer” aimed at facilitating e-mail and Internet shopping without excessive disclosure of personal information, International Business Times reports. “The idea is to authenticate only the minimally necessary information for authentication,” said IBM Fellow Jan Camenisch. “We want to deal with a digital society that requires electronic authentication.” The Identity Mixer issues “'electronic tokens’ that verify user information contained in a third-party database,” the report states. The mixer has been piloted in Greece at the Research Academic Computer Technology Institute, and IBM hopes to employ it in the EU’s FutureID, introduced last month to protect personal data related to government-issued identity cards.
Full Story

STUDENT PRIVACY—U.S.

Athlete-Monitoring Program Raises Concerns (December 18, 2012)

A new oversight system being implemented by the Ohio State University (OSU) is raising concerns among some that it infringes on student athletes’ privacy, The New York Times reports. The school said the program will financially educate athletes, but critics see it as a violation of privacy. An OSU assistant professor said, “Part of me says you do what you’ve got to do when you’re a big-time college athletics program,” but added, “The flip side is it’s pathetic that we have to do this. I don’t like the Big Brother aspect of this. Do we have to monitor everything?” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—EU

Regulators Formally Examining Policy Changes (December 18, 2012)

Bloomberg reports that EU regulators are formally examining recent changes by Microsoft to its privacy policy. Data protection authorities (DPAs) from France and Luxembourg are leading the investigation and aim to verify whether the changes will offer European users appropriate notice and choice of services, the report states. Dutch DPA Jacob Kohnstamm said, “Given the wide range of services you offer, and popularity of these services, changes in your services agreement and the linked privacy policy may affect many individuals in most or all of the EU member states.” A Microsoft spokesman said, “We are confident they will find Microsoft’s long-standing commitment to privacy has not changed.”
Full Story

CONSUMER PRIVACY—U.S.

FTC’s David Vladeck Stepping Down (December 18, 2012)

The Federal Trade Commission (FTC) has announced the departure of Bureau of Consumer Protection Director David Vladeck, Advertising Age reports. “He’s revitalized the bureau,” Venable Attorney Randy Shaheen said, adding, “It’s been a very active three years, with a lot of new initiatives and guidance.” Vladeck helped pave the way for the FTC’s comprehensive privacy framework and brought several enforcement actions against companies—including Google and Facebook—for privacy violations. Deputy Director Charles Harwood will be appointed acting director when Vladeck steps down on December 31.
Full Story

SOCIAL NETWORKING—GERMANY

DPA Pushes Back on Pseudonym Policy (December 18, 2012)

A German privacy regulator has ordered Facebook to immediately cease enforcing its real-name policy because it allegedly violates the German Telemedia Act, IDG News Service reports. Schleswig-Holstein Office of the Data Protection Commissioner Thilo Weichert said the nation’s law provides users with the right to use pseudonyms online. “This decree is binding,” Weichert added. A Facebook spokeswoman said, “We believe the orders are without merit…and we will fight it vigorously.” Meanwhile, Instagram has altered its privacy policy to share data with Facebook. The changes are slated to take effect January 16.
Full Story

PRIVACY—U.S.

Westin: Privacy Has Become a “Central Issue” (December 17, 2012)
“When I wrote Privacy and Freedom in the mid-1960s,” writes preeminent privacy scholar Alan Westin in this Daily Dashboard exclusive, “privacy was essentially a third-tier social, political and legal issue.” Noting that “privacy has become a central issue and fierce battleground of the technology-driven world,” Westin demonstrates “how profoundly important (privacy) has become” by revealing search engine results on key words such as “privacy,” “privacy policies” and “privacy officers” and how they compare to other “important societal values” such as “freedom,” “national security policies” and “chief executive officer.” In each case, results for “privacy” and its related key words grossly outnumber the corresponding search terms—“a stunning but trustworthy portrait of just how central privacy has become in the U.S. today,” he writes.

CHILDREN’S PRIVACY—U.S.

COPPA Revisions Expected This Week (December 17, 2012)

Federal Trade Commission Chairman Jon Leibowitz says he hopes to announce updates to the Children’s Online Privacy Protection Act this week. The commission released a draft revision to the act in August, which was met with resistance by companies concerned that the changes would “burden websites, stifle online commerce and infringe on constitutionally protected free-speech rights,” The Hill reports. Meanwhile, Ad Age reports on a number of initiatives in Washington, DC, related to mobile privacy, including a meeting today by the Department of Commerce’s National Telecommunications and Information Administration on creating a standard for mobile app privacy notifications.
Full Story

PERSONAL PRIVACY—UK

Government Releases Smart Meter Rules (December 17, 2012)

The UK Department of Energy and Climate Change has released smart meter privacy rules, reports Smartmeters.com. Energy and Climate Change Minister Baroness Verma said the smart meter system brings “huge potential benefits for millions of homes and businesses and for Great Britain as a whole.” She added, “Let me be clear: the consumer comes first.” The rules give consumers a choice on how often energy suppliers can access their energy consumption data and prohibit suppliers from using such data for marketing purposes unless they have explicit consent. The rules also establish a “Central Delivery Body” to help consumers use smart meters to better manage their energy use.
Full Story

GEO PRIVACY—GERMANY & EU

Official Says New Google Maps May Violate EU Law (December 17, 2012)

A German official has expressed concerns that the location data sharing function within the new Google Maps for iOS may violate European law, Ars Technica reports. Schleswig-Holstein Independent Centre for Privacy Protection Deputy Privacy and Information Commissioner Marit Hansen said the location sharing option is switched on by default and the company’s use of the word “anonymous” in its terms of service is misleading. She said, “All available information points to having linkable identifiers per user,” which led her to state that the company’s “anonymous location data” would be considered personal data in the EU, the report states. Meanwhile, an op-ed notes that Google “is in an ideal position” to “make strong e-mail encryption a mass phenomenon,” which would be a “win-win” for the company. 
Full Story

SSN PRIVACY—U.S.

SSN Requests Forbidden As Law Takes Effect (December 17, 2012)

A law aimed at protecting consumers from identity theft has taken effect in New York. The law, introduced by state Sen. Lee Zeldin (R, C, I-Shirley) forbids businesses and individuals from requesting Social Security numbers except in certain instances. Violations of the law, signed by Gov. Andrew Cuomo, will be punishable by fines of up to $500 per violation. “Many times, when shopping for goods or services, you are led to believe that you must disclose your Social Security numbers to get a reward or sales price. This law protects your Social Security number, your privacy and your identity,” Zeldin said.
Full Story

TRAVELERS’ PRIVACY—CANADA & U.S.

Visa Information-Sharing Agreement Signed (December 17, 2012)

In a ceremony on Thursday, Canada and the U.S. signed a treaty to share data about visa applicants and asylum seekers including biometric information, name, birth date and gender, reports the Canadian Press. Canada’s privacy commissioner has raised concerns that the information could end up in the wrong hands, possibly endangering applicants and their families. However, Immigration Minister Jason Kenney stressed that the agreement comes with “rigorous privacy safeguards” that ensure data will be shared in accordance with Canadian law. The agreement states that either country may share data with a domestic court for immigration purposes or with a third country, but only with the approval of the providing country.
Full Story

How Important Is Privacy Today? (December 17, 2012)
When I wrote Privacy and Freedom in the mid-1960s, privacy was essentially a third-tier social, political and legal issue. Its components were protections against unreasonable search and seizure; rights to remain silent in various forums (the privilege against self-incrimination); rights of confidentiality in various types of record systems (census, social security, medical and personnel records, etc.); conventions about respecting privacy in interpersonal and family relations, and various modesty and reserve rules in dress, speech, sex, etc. At the same time, the U.S. was preeminent among democracies in making government information about individuals a matter of public records access, and in defining the media’s right to investigate and publish personal behaviors in very broad legal terms.

SURVEILLANCE

Counterterrorism Agency To Tap Citizen Database (December 14, 2012)
The Wall Street Journal reports that rules signed into effect last March allow the National Counterterrorism Center (NCTC) to access government files on citizens and analyze them for possible criminal behavior. The NCTC can now copy government databases, such as flight records and casino employee lists, and retain them for up to five years—a practice that was previously prohibited. Mary Ellen Callahan, CIPP/US, chief privacy officer of the Department of Homeland Security at the time, opposed the plan, calling it “a sea change in the way the government interacts with the general public.” Alexander Joel, CIPP/US, CIPP/G, of the Office of the Director of National Intelligence says, “The guidelines provide rigorous oversight to protect the information.” (Registration may be required to access this story.)

PRIVACY LAW

Delegates Reject Proposed Internet Treaty (December 14, 2012)

An alliance of Western countries including the U.S., UK and Canada has rejected a proposed treaty saying it would give repressive governments too much power over the Internet, CNET News reports. Representatives from the Netherlands, New Zealand, Denmark, Sweden, Poland and the Czech Republic also said they would not support the International Telecommunication Union (ITU) Treaty. Some representatives questioned whether the UN was the proper organization to oversee Internet-related issues, the report states, adding, “a key concern is that putting topics related to Internet speech and surveillance to a majority vote of ITU’s 192 member nations may not end well.”
Full Story

PRIVACY LAW—U.S.

Senate Panel Passes Location Privacy Bill (December 14, 2012)

The Senate Judiciary Committee yesterday voted in favor of the Location Privacy Protection Act, reports The Hill. The bill would require companies to get customers’ permission before collecting or sharing mobile location data. Sen. Al Franken (D-MN), the author of the bill, said that while many apps already obtain consent before tracking users, a law is necessary to ensure the practice is mandatory. “I believe that Americans have the fundamental right to control who can track their location and whether or not that information can be given to third parties," Franken said. The bill’s passage during this Congress is unlikely, the report states, but Franken is expected to push it again in the next Congress.
Full Story

DATA PROTECTION—IRELAND

Many Companies Unaware of Data Obligations (December 14, 2012)

Many of Ireland’s companies are “unaware of their responsibilities in collecting, storing and destroying data,” writes data protection consultant Fintan Lawlor in The Independent. Noting recent fines handed down by courts and the data protection commissioner (DPC), as well as reputational risks, Lawlor advises companies take steps to become compliant with EU data protection laws. It’s important companies determine whether they need to register as a data controller with the DPC, explain to customers what data is being collected on them and ensure that the data collected is necessary and relevant to the purposes for which it is being collected, Lawlor says.
Full Story

DATA PROTECTION

Center Releases Accountability Tool (December 14, 2012)

As part of the Global Accountability Project, the Hunton & Williams Centre for Information Policy Leadership has released an accountability self-assessment tool, reports Hunton & Williams’ Privacy and Information Security Law Blog. “In collaboration with experts…we’ve outlined the key elements of a sound program to help organizations take the concrete steps necessary to be accountable,” said Marty Abrams, the centre’s president. As accountability plays a larger role in legislation, “The results of the survey may be useful in demonstrating to regulators and other interested constituencies the design of an organization’s privacy program,” added Paula Bruening, vice president of Global Policy at the Centre.
Full Story

ONLINE PRIVACY

Company Launches Social Login Privacy Seal (December 14, 2012)

Adweek reports on the launch of a social privacy certification and seal that aims to reassure consumers logging into an application or website via a social login such as Facebook or Twitter that their data “will not be abused or compromised.” Following a survey in which nearly half of respondents said they would be more comfortable using a social login if a short message indicated what information the site was collecting, Gigya collaborated with the Future of Privacy Forum (FPF) to develop its SocialPrivacy Certification. FPF Director Jules Polonetsky, CIPP/US, will chair Gigya’s recently established Privacy and Safety Advisory Board.
Full Story

DATA THEFT

Authorities Arrest 10 for Data Theft (December 13, 2012)
International authorities have arrested 10 individuals from around the world for allegedly operating a network of infected computers for the purpose of stealing personal data from millions of users, The New York Times reports. Law enforcement authorities were aided in their investigation by Facebook, the report states. The Butterfly botnet allegedly spread malicious software to compromise the security of PCs, allowing the suspects to acquire personal information, including credit card numbers. The U.S. Justice Department said variations of this type of malicious software have infected approximately 11 million computers and caused more than $850 million in damages, the report states. (Registration may be required to access this story.)

SOCIAL NETWORKING

Facebook Updates Privacy Settings (December 13, 2012)

Facebook has made changes to its privacy settings by giving users more control and clarity over what personal data is shared and by removing users’ ability to remain hidden from its main search tool, The Wall Street Journal reports. A new control, called Privacy Shortcuts, will allow people to alter who can see their posts and who can contact them through the site. Facebook Director of Product Samuel Lessin said, “We’re taking the most critical things and putting them in context across the whole site.” Electronic Privacy Information Center Executive Director Marc Rotenberg said, “Facebook’s decision not to allow people to hide themselves from search appears to violate the settlement” reached with the Federal Trade Commission earlier this year. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—UK & U.S.

As Smart Meter Concerns Persist, UK Issues Rules (December 13, 2012)

National Geographic reports on the challenges facing smart grid proponents as consumers voice concerns about privacy, including how smart meter data will be used and who might have access to it. The U.S. has deployed smart meters to about one-fourth of customers nationwide, while the EU is working to meet a mandate that 80 percent of households use smart meters by 2020. The UK government has published a set of rules for its smart meter program in which “the consumer comes first.” In the U.S., federal laws regulating use of consumers’ energy data don’t yet exist, though some U.S. states are formulating rules. Editor’s Note: For more on this topic, see “Amidst Fledgling Smart Grid Safeguards, Utilities Self-Regulate and an Expert Offers A How-To from the September edition of The Privacy Advisor.
Full Story

BEHAVIORAL TARGETING—UK

ASA To Regulate Online Behavioral Advertising (December 13, 2012)

Early next year, the UK Advertising Standards Authority (ASA) will start regulating online behavioral advertising, reports Phil Lee, CIPP/E, of Field Fisher Waterhouse. Recent changes to the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing come into effect February 4. The revised code implements recommendations previously made by the European Advertising Standards Alliance. Lee says the revised code will likely bring a “regulatory flurry,” confusion about lawful tracking via cookies and increased enforcement by the ASA—which may prove to be a “more active regulator of targeted advertising than the ICO once the new rules come into effect.”
Full Story

MOBILE PRIVACY—U.S.

Sen. Franken Urges Action on Location Privacy Bill (December 13, 2012)

Sen. Al Franken (D-MN) is urging members of the Senate Judiciary Committee to move his Location Privacy Protection Act forward, MinnPost reports. The bill would prohibit “stalker apps” by outlawing mobile applications that share a cellphone’s location without the user’s knowledge and would require companies to acquire user permission prior to collecting and sharing location data. The Center for Democracy and Technology’s Justin Brookman said, “We’ve advocated for a comprehensive privacy law for years…This is a subset of that, but I think it’s an important one.”
Full Story

ONLINE PRIVACY

Microsoft Standing By Do-Not-Track Default (December 13, 2012)

Despite criticism from online advertising firms, Microsoft says it will stand by its decision to make its Do-Not-Track (DNT) feature the default in its latest Internet Explorer browser. “We crossed the Rubicon and are completely comfortable being on the other side of the river,” said Microsoft General Counsel Brad Smith. “We have no intention of going back and have no intention of engaging in discussion on that possibility.” Some advertisers have said they will ignore the browser’s privacy signals. Smith said Microsoft is willing to talk with advertisers about tweaks to how it describes DNT to users and how the setting can be altered.
Full Story

PRIVACY LAW—U.S.

Protester Pleads Guilty, Advocates Eye Appeal (December 13, 2012)

Occupy Wall Street protestor Malcolm Harris has pleaded guilty to disorderly conduct, paving the way for Harris to appeal the judge’s ruling that he has no legal right to challenge a subpoena served on Twitter for his posts, Reuters reports. The case has caught the eye of some privacy advocates, the report states, as it set a precedent that social media users do not own their content. Harris said, “Setting a legal precedent on how this material can be used is much more important” than the criminal charges levied against him. American Civil Liberties Union Lawyer Aden Fine said, “This case demonstrates why the law needs to keep up with technology.”
Full Story

CHILDREN’S PRIVACY—U.S.

App Temporarily Taken Offline Following FTC Complaint (December 12, 2012)
The maker of children’s mobile app “Mobbles” has temporarily taken the app offline in response to news that the Center for Digital Democracy has filed a complaint against it with the Federal Trade Commission. The complaint alleges Mobbles violates COPPA in failing to post its privacy policy appropriately and in collecting data from children—including addresses, e-mail addresses and geolocation information—without parents’ permission. “This complaint provides a glimpse into a much larger, rapidly growing children’s mobile market in which companies are unleashing all of the available techniques for targeting kids,” said Kathryn Montgomery, a children’s privacy advocate and professor at American University. Meanwhile, NPR reports on the FTC’s recent report on mobile apps and kids.

PRIVACY LAW—ITALY

Prosecutor Wants To Uphold Jail Time for Execs (December 12, 2012)

An Italian prosecutor is pushing to uphold jail sentences for three Google executives in an appeal stemming from a 2010 case in which a Milan judge found them guilty of violating the privacy of an autistic boy after his classmates uploaded a disparaging video to a Google site. Reuters reports that the executives were sentenced to six months of suspended jail time, but none of the three have faced actual imprisonment. The company has called the ruling an attack on freedom of expression on the Internet, but the prosecutor says, “Not only has the privacy of minors been violated but lessons of cruelty have been given to 5,500 visitors." Editor’s Note: To learn more about liability in social media, read “Defamation by social media: Who’s liable?” from the October issue of The Privacy Advisor.
Full Story

SOCIAL NETWORKING

Facebook Vote Means Policy Changes Will Take Effect (December 12, 2012)

The results of Facebook’s recent vote over proposed changes to its privacy policy mean the company can proceed as planned, COMPUTERWORLD reports. The company’s standing rules state that the results of a user vote are binding if at least 30 percent of its one billion users participate. In the vote, which ended Monday, 589,141 users voted against the proposed changes, and 79,731 voted in favor. The changes mean Facebook users will not be consulted on upcoming changes and users' comments will be less important, the report states. An editorial in The Washington Post says the vote indicates Facebook users’ apathy about privacy.
Full Story

DATA LOSS—U.S.

Healthcare Breaches, Workers Resign (December 12, 2012)

Two managers at Jackson Health System in Florida have resigned under pressure after an alleged breach in its obstetrics unit in October, reports The Miami Herald. The hospital’s chief executive wrote a memo to county political leaders stating, “While no patients were harmed as a result of this incident, we concluded that Jackson policies were indeed violated,” adding, “Appropriate reports were made to regulatory agencies.” Meanwhile, North Carolina-based Carolinas HealthCare System is notifying 5,600 patients that their information may have been compromised when a hacker obtained e-mails from a provider’s account. While most of the e-mails did not contain personal information, Social Security numbers and medical information were included in some, the report states.
Full Story

PRIVACY

Reding, Harper and Fakhoury Share Perspectives (December 12, 2012)

Three installments in The New York Times' "Room for Debate" offer alternate perspectives on key privacy issues. European Commission Vice President Viviane Reding opines in favor of strong privacy laws, writing, "Personal data has become the currency of today's digital market. Like any currency, it needs stability and trust. Only if consumers can 'trust' that their data is well-protected, will they continue to entrust businesses with it, which will help the economy to continue prospering.” In a separate post, the Cato Institute’s Jim Harper offers perspectives on children’s online activities. Meanwhile, Hanni Fakhoury of the Electronic Frontier Foundation writes about ways privacy and technology can coexist. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—AUSTRALIA & UK

Australian DJs’ Hoax May Have Violated Law (December 12, 2012)

The Guardian reports a recent prank call to a UK hospital may have violated the Data Protection Act barring the obtaining or disclosure of personal records. The two Australian radio DJs who made a prank call to the hospital obtained personal data about a patient “without the consent of the data controller, which in this case is the King Edward VII hospital,” said one expert. Australian Federal Privacy Commissioner Timothy Pilgrim’s office has said it will not investigate a privacy breach at this time and will instead defer to the Australian Communications and Media Authority.
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Issues Report on Mobile Apps and Kids (December 11, 2012)
The Federal Trade Commission (FTC) has released a report stating that mobile apps for children “fall short on disclosure to parents,” finding 20 percent disclose their data collection practices, The New York Times reports. The FTC looked at 400 popular children’s apps and said the results “paint a disappointing picture of the privacy protections provided by apps for children.” The commission is investigating whether federal laws have been breached. FTC Chairman Jon Leibowitz said the study indicates that “kids’ apps siphon an alarming amount of information from mobile devices without disclosing this fact to parents.” Reed Smith’s John Feldman told the Daily Dashboard the report assumes that transparency is “an end in and of itself,” but there’s “no evidence that this is the case…The FTC staff is more or less throwing its chosen public policy about marketing to children up against the wall of the ‘app ecosystem’ to see what sticks. It doesn’t really say who has responsibility to disclose pertinent information, but rather just essentially says, ‘You guys work it out.’” Feldman suggests the report “hints strongly” at enforcement based on COPPA and Section 5 of the FTC Act, calling it “heavy-handed policy implementation without rulemaking procedures or legislative authorization.” He recommends marketers think about “what they could do to learn about the privacy practices of themselves and their contracting partners and what they could do to communicate those practices to the end user.”

PRIVACY LAW—CANADA

Stoddart: Proposed Breach Law Outdated (December 11, 2012)

Documents released under the Access to Information Act reveal that Federal Privacy Commissioner Jennifer Stoddart believes a proposed federal bill aimed at better managing data breaches “is beginning to look dated.” Prepared last June, Stoddart’s analysis of Bill C-12 also states, “Many international data protection agencies now have, or will soon have, much stronger enforcement powers than exist in Canada,” adding, “I am no longer certain I can provide wholehearted support for the legislation as currently drafted.” Stoddart also pushes for her office to have more sanctioning power, the Canadian Press reports.
Full Story

SOCIAL NETWORKING

A Look at Facebook’s Chief Privacy Officer (December 11, 2012)

The Hill reports on the work and responsibilities of Facebook Chief Privacy Officer (CPO) Erin Egan. As CPO, Egan is responsible for explaining the firm’s privacy policies to its one billion users—partly through its new “Ask the Chief Privacy Officer” feature—ensuring that feedback from lawmakers and regulators gets implemented in Facebook’s policies and weighing the privacy implications of new products, the report states. Her team reaches across multiple departments, including product development, security and privacy. Center for Digital Democracy President Jeffrey Chester said Egan has been willing to “have substantive discussions on key issues.” Meanwhile, student group Europe v. Facebook is reaching out for funding to bring a civil case against the company for alleged data protection violations.
Full Story

ONLINE PRIVACY—U.S.

Woman Files Suit Over E-mail Interception (December 11, 2012)

A Pennsylvania woman has filed a lawsuit against Google accusing the company of illegal wiretapping by intercepting e-mails sent to Gmail accounts, the Associated Press reports. Similar class-action suits have been filed nationwide on behalf of e-mail users without Gmail accounts who therefore did not accept Google’s terms of service. One class-action lawyer said the terms allow for e-mail interception for direct marketing purposes, but Google is “also intercepting e-mails of the non-Gmail account holder, in violation of wiretap laws in some states.” A Google lawyer wrote in a November 9 motion to dismiss a Maryland case that content-based advertising is a “routine business practice permitted under an exception written into the wiretap law,” the report states.
Full Story

ONLINE PRIVACY

Initiatives Could Impact the Future of User Privacy (December 11, 2012)

An op-ed in The Economist discusses two initiatives that could affect Internet users’ expectations of privacy in years to come. The first is a U.S. Senate bill that would update the Electronic Communications Privacy Act of 1986. The bill would require law enforcement agencies to obtain a warrant to access e-mails that have been opened or are more than six months old; now, only a subpoena is required. “Bringing online privacy requirements into an age of cloud computing is only fit and proper, and long overdue,” the report states. The second is the International Telecommunications Union’s effort to rewrite its treaty for regulating telecommunications companies worldwide by defining the Internet as a form of telecommunication.
Full Story

CONSUMER PRIVACY—U.S.

TVs that Watch the Viewer Raise Privacy Concerns (December 11, 2012)

A patent has been filed for a television setup that has the ability to see and hear what viewers are doing for the purpose of tailoring advertisements based on the user’s behavior, wdbo.com reports. Filed by Verizon, the patent suggests the system’s tracking abilities could communicate data between the user’s smartphone or tablet and television to observe what websites the viewer is surfing, the report states. According to a LiveScience.com report, the “idea crosses the divide between the digital and real worlds to extract information by essentially monitoring people’s behaviors in real life—an intrusion that many people may find extremely uncomfortable.”
Full Story

PRIVACY LAW—EU

EU Regulators Consider Censure (December 10, 2012)
The New York Times reports on potential plans by the EU’s group of data protection authorities (DPAs) to censure Google for its consolidated privacy policy if the company does not meet demands previously set forth by the regulators. In a two-day, closed-door meeting, the DPAs mapped out a preliminary strategy, which, the report states, includes testing whether Google is in compliance with national privacy laws in Ireland, Belgium and Finland, where the company operates data centers. A Google spokesman said the company is reviewing recommendations laid out by France’s DPA and is “confident that our privacy notices respect European law.” The DPAs may issue a public statement this week, the report states. (Registration may be required to access this story.)

ONLINE PRIVACY—U.S.

Entrepreneur Introduces Consumer “Data Vault” (December 10, 2012)

The New York Times reports on one entrepreneur’s “data vault,” which aims to allow consumers to take control of their online identities. Reputation.com’s Michael Fertik’s data vault allows consumers to decide who has access to their data and to what extent in exchange for goods such as coupons. Participating companies receive data on those consumers, including which products or services interest them. Meanwhile, Verizon recently launched a “rewards program,” in which consumers allow the company to collect data from their phone in exchange for coupons. A new paper by the Future of Privacy Forum’s Jules Polonetsky, CIPP/US, and Omer Tene asserts that “consumers are unlikely to object” to data collection when the use of their personal data benefits their experience online. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY—U.S.

Groups Seek Progress on Disclosure Standardization (December 10, 2012)

Ongoing efforts by the mobile app industry and privacy advocates to create straightforward methods to relay to consumers what an app will do with their personal information have been “bumpy,” reports The New York Times. A coalition of the two groups has most recently proposed that apps release standardized, short-form notices. Tim Sparapani, senior adviser at the Application Developers Alliance, says app developers “want to do something that advances consumers’ trust in their industry.” Some have expressed frustration with a lack of progress. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Sites Blurring Online and Offline IDs, Report Says (December 10, 2012)

In a report by The Wall Street Journal, staff examined 1,000 top websites and found that approximately 75 percent of them featured social networking code that can match users' online identities with their web-browsing activities. And nearly one-quarter of the web’s 70 most popular sites shared personal data with third-party companies, according to the report. “The widening ability to associate people’s real-life identities with their browsing habits marks a privacy milestone, further blurring the already unclear border between our public and private lives,” the report states, adding, “In pursuit of ever more precise and valuable information about potential customers, tracking companies are redefining what it means to be anonymous.” (Registration may be required to access this story.)
Full Story

GENETIC PRIVACY—UK

Database Concerns Abound (December 10, 2012)

The Telegraph reports on an initiative to create a database “capable of storing every British citizen's DNA records” with an opt-out for those who do not want their data stored. “The UK will be the first country to introduce high-tech DNA mapping within a mainstream health system in a move designed to help it lead the world in tackling cancer and rare diseases,” the report states. Privacy advocates caution, however, that there are “very real privacy concerns” with the opt-out system and the potential ways DNA data could be shared with third parties.
Full Story

CONSUMER PRIVACY—GERMANY

Group To Sue Social Networking Site (December 10, 2012)

A group of German consumer organizations is planning to sue Facebook over allegations the company shares personal data with third-party app makers without getting users’ explicit consent, IDG News Service reports. The Federation of German Consumer Organizations (VZBV) asked the company to change its App Center privacy practices in July and now says the practices have not improved, the report states. A Facebook spokeswoman defended the company’s practices. The VZBV expects a hearing to commence next summer.
Full Story

PRIVACY LAW—U.S.

CA Attorney General Suing Delta (December 7, 2012)
Reuters reports California’s Attorney General's Office (AG) says it is suing Delta Air Lines for distributing a mobile application without a privacy policy. Delta’s “Fly Delta” app allows customers to check in and make reservations and collects details such as name, phone number, e-mail and geographic location, the report states. The civil complaint accuses Delta of violating California’s Online Privacy Protection Act by distributing the app “without a privacy policy since at least 2010.” The AG, which began warning app developers on October 30 that it would take enforcement actions against those without policies, had given Delta a warning and 30 days to come into compliance with the law.

PRIVACY LAW—EU

Facebook: Right To Be Forgotten Will Increase Tracking (December 7, 2012)

Facebook says the “right to be forgotten” provision in the EU draft data protection regulation will result in increased tracking of Internet users, TechWeekEurope reports. Facebook has been lobbying against the draft and says the right to be forgotten provision that would require companies to delete customer data upon their request “raises many concerns with regard to the right of others to remember and to freedom of expression.” If customers want all of their data deleted, companies will have to track them across websites other than their own. “As drafted, the proposals have privacy implications,” said Facebook’s policy communications manager in Europe.
Full Story

ONLINE PRIVACY—UK

Leveson Calls for New Laws (December 7, 2012)

BBC News reports on a call by Lord Justice Brian Leveson for new laws “to prevent ‘mob rule’ on the Internet.” Following the publication of his report on UK press standards, Leveson has indicated that “new laws would protect privacy and freedom of expression on the Internet,” the report states. Newspaper editors, meanwhile, have said they will respond to the government "very shortly" regarding implementation of the Leveson plan. "The editors of all national newspapers met...and unanimously agreed to start putting in place the broad proposals…for the independent self-regulatory system laid out by Lord Justice Leveson," their statement said.
Full Story

ONLINE PRIVACY—U.S.

FTC Puts Data Collection Under the Microscope (December 7, 2012)

Academics, advocates, industry representatives and privacy experts met yesterday to hash out the benefits and risks of online data collection. In a rapidly changing online environment largely driven by improving technology, there are no easy answers for balancing consumer privacy with market innovation. Digital Advertising Alliance Counsel Stuart Ingis said the market will best determine poor privacy practices, while others expressed concern that consumers cannot make informed decisions about web services because of the level of data collection occurring behind the scenes, COMPUTERWORLD reports. Independent researcher Ashkan Soltani said, “It’s hard to compete on something people don’t know about.”
Full Story

HEALTHCARE PRIVACY—U.S.

Report: Hospital Breaches Widespread (December 7, 2012)

A newly published report reveals that approximately nine out of 10 U.S. hospitals have experienced a data breach within the last two years. The Ponemon Institute study also revealed nearly half of those hospitals have reported more than five breaches. On average, 2,800 records are compromised per breach, the report states, and the effect is costly. The average monetary impact of a breach to a healthcare organization every year reaches $1.2 million, totaling approximately $7 billion to the entire U.S. healthcare system.
Full Story

TRAVELERS’ PRIVACY—U.S.

Vehicle Data Recorder Law To Be Proposed Soon (December 7, 2012)

The National Highway Traffic Safety Administration will likely propose regulations in the next few days that would require auto manufacturers to include event data recorders in all cars and light trucks, but Fox News reports that the manufacturers have been installing the “black boxes” in most new cars for years. The recorders are intended to collect information to help investigators determine the causes of accidents, but privacy advocates say the technology needs policies to prevent misuse of data. "Right now we're in an environment where there are no rules, there are no limits, there are no consequences and there is no transparency," said an Electronic Privacy Information Center spokeswoman.
Full Story

DATA PROTECTION—EU & U.S.

Hustinx: U.S. Adequacy Is Some Ways Away (December 6, 2012)

European Data Protection Supervisor Peter Hustinx has said he expects only a select number of U.S. IT companies will meet EU data protection standards for some time to come, IDG News Service reports. Responding to comments made by U.S. Ambassador to Europe William Kennard’s call for the U.S. to be given adequacy status, Hustinx said while that may happen in the future, “the ambassador was being a little optimistic,” the report states. Kennard has expressed concerns about some of the provisions within the EU draft data protection regulation, including that the draft gives the European Commission broad powers.
Full Story

MOBILE PRIVACY

Advocates Say Recent Arrest Highlights Mobile Risks (December 6, 2012)

The Sydney Morning Herald reports on how a tech millionaire was found using location-based data and the ways such incidents concern privacy advocates. John McAfee was located in Guatemala after a photo of him—which contained embedded details about his specific longitudinal and latitudinal location—was posted to the web by journalists. A hacker was able to unveil the embedded details. Privacy experts say smartphone users frequently have no idea how easily their mobile data may be collected, shared or stolen. The rules governing mobile data are “few and often unclear,” the report states.
Full Story

CONSUMER PRIVACY—U.S.

FTC Settles with Online Ad Network Over Tracking (December 6, 2012)
The Federal Trade Commission (FTC) and online ad network Epic Marketing have settled charges that Epic was “secretly and illegally gathering information” on web users’ browsing habits, Salon reports. Epic was allegedly tracking users conducting web searches for information on fertility issues, menopause, disability insurance and personal bankruptcy, among others, in order to send targeted ads. In the settlement, Epic agreed to cease its “history sniffing” practices indefinitely and delete any data it generated in the process.

PRIVACY LAW—EU

Alvaro: Right To Be Forgotten Needs Revisions (December 6, 2012)

Speaking at an event of the Congressional Internet Caucus Advisory Committee in Washington, DC, German Vice President of the European Parliament Alexander Alvaro said the provision in the proposed EU data protection law guaranteeing individuals the right to be forgotten needs to be limited. The right "has to be limited to the point where we're talking about judicially, clearly examined, illegal violations of rights,” he said, adding it will not be used as a tool to curtail freedom of expression. Alvaro is pushing for context-based privacy protection, noting that other provisions—such as explicit consent—may also need revision, reports FierceGovernmentIT.
Full Story

MOBILE PRIVACY—U.S.

Committee To Consider Measure on Location Privacy (December 6, 2012)

Sen. Al Franken (D-MN) has released a revised version of legislation he introduced last year that would require companies to obtain user consent before collecting and sharing location-based data. The bill would allow companies to obtain one-time consent. The Senate Judiciary Committee is scheduled to consider the measure today, Bloomberg reports. S 1223 follows hearings on mobile privacy Franken held last year with representatives from Apple and Google. The bill’s revision includes language that restrictions on collecting and sharing location data wouldn’t apply to law enforcement authorities.
Full Story

CONSUMER PRIVACY—U.S.

FTC Leaders Reflect, Discuss Key Issues (December 6, 2012)

Departing FTC Commissioner J. Thomas Rosch and Bureau of Consumer Protection Director David Vladeck reflected this week on their rich and eventful tenures at the agency while expressing differing views underlying the FTC’s role in consumer privacy protection. Speaking at the IAPP Practical Privacy Series in Washington, DC, Vladeck said “the FTC takes commitments about privacy seriously and has the capacity to police an increasingly complex ecosystem.” Rosch discussed what he described as the “new privacy paradigm” that began in 2010. This exclusive for The Privacy Advisor examines their comments and includes insights from Arnall Golden Gregory Partner Bob Belair.
Full Story

PRIVACY LAW—U.S.

Law Restricting SSN Requests Takes Effect (December 6, 2012)

Syrcause.com reports on a new state law that limits when New York businesses may ask consumers for their Social Security numbers (SSNs). The law takes effect on December 12 and forbids companies and individuals from requesting SSNs from individuals except under certain circumstances. It also forbids denial of services based on an individual’s refusal to provide an SSN. The bill was signed by Gov. Andrew Cuomo this summer, the report states. Its sponsor, Sen. Lee Zeldin (R-Shirley), said the “widespread public exposure of our personal information, especially our Social Security numbers, coupled with the almost universal use of the Internet, makes it that much easier for criminals to steal our identities."
Full Story

PRIVACY LAW—U.S.

Advocates, Advertisers Differ on COPPA (December 6, 2012)

The Philadelphia Inquirer examines reactions to the effort to update “the rules enforcing the Children's Online Privacy Protection Act (COPPA)” for the first time in a dozen years. “Industry and public-advocacy groups have been pushing hard—often at cross-purposes—over the update underway at the Federal Trade Commission,” Jeff Gelles writes, contrasting comments from the Center for Digital Democracy—one of the nonprofits that has released a survey showing support for COPPA revisions—with those of the Interactive Advertising Bureau. Gelles describes the debate about children’s privacy as “a window onto broader issues of how information about all of us is gathered online, used, shared and traded.”
Full Story

PRIVACY LAW—U.S.

Attorney General To Fine Noncompliant Apps (December 5, 2012)
ArsTechnica reports on California Attorney General Kamala Harris’ plans to fine mobile app developers who don’t have a privacy policy clearly visible to consumers. On October 30, Harris started notifying developers that they are covered under California’s Online Privacy Protection Act, which applies to any service provider that collects information from any Californian, the report states. Harris worked with major platforms such as Google, Microsoft and Apple to bring apps they sell into compliance in February. Developers who do not comply with the law may face fines of up to $2,500 per app download. Meanwhile, Forbes reports on apps’ storage of consumers’ personal information and steps consumers can take to control their own data.

CLOUD COMPUTING—EU & U.S.

Report: USA PATRIOT Act Could Bypass EU Law (December 5, 2012)

Researchers from the University of Amsterdam’s Institute for Information Law have released a paper validating reports that the USA PATRIOT Act could allow U.S. law enforcement to obtain EU citizens’ data, bypassing EU privacy laws, reports CBS News. The researchers say that because “most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction,” entities—including governments—located outside the U.S. that use U.S.-based cloud services could be required to allow U.S. law enforcement to access their data. Axel Arnbak, co-author of the report, says, "The risk of data access by U.S. authorities to cloud data is realistic and should form an integral part in any decision-making process to move data into the cloud.”
Full Story

PRIVACY—INDIA

Professors Publish Largest To-Date Study on Privacy in India (December 5, 2012)

In an effort to better understand privacy perceptions in India, two researchers have conducted the largest-ever survey on the topic. Prof. Ponnurangam PK (PK) and Niharika Sachdeva have published “Privacy in India: Attitudes and Awareness V 2.0,” which follows a smaller version of the study, published in 2005. The survey found that 76.63 percent of Indians surveyed felt that “consumers have lost control over how personal information about them is circulated and used by companies.” In 2004, only seven percent of consumers mistrusted businesses. India is “on a path” toward becoming privacy-aware and concerned, the authors state.
Full Story

DATA LOSS—U.S.

Commissioner To Review Company’s Safeguards (December 5, 2012)

eSecurity Planet reports California Insurance Commissioner Dave Jones has said he will conduct a review of Nationwide Insurance’s cybersecurity measures to be sure it’s efforts adequately protect customers’ personal information. The planned review is in response to a breach of Nationwide’s computer system database in October affecting customers seeking a price quote from Nationwide or one of its affiliates over a 13-month period. The data breached included Social Security numbers, names and—in some states—driver’s license numbers and dates of birth. The company alerted those potentially affected beginning on November 16. Jones said Nationwide has agreed to update the commissioner’s office on the findings of its internal investigation.
Full Story

PRIVACY LAW—AUSTRALIA

OAIC Pushes for Breach Notification, Others Voice Concerns (December 5, 2012)

The Office of the Australian Information Commissioner and advocacy groups have submitted to the attorney general their support for mandatory data breach notification—a provision not included in last week’s amendments to Australia’s privacy law, reports CIO. Other groups, however, say that “notification fatigue” and the recent amendments to the law may mean a notification requirement is not the right course of action. "We suggest that the effectiveness and consequences (both intended and unintended) of those amendments should be experienced and properly considered before further amendments are made," said a Law Council of Australia spokeswoman.
Full Story

PRIVACY LAW—EU & U.S.

Ambassador Concerned with Draft’s Provisions (December 5, 2012)

New Europe reports on U.S. concerns about the broad authority that may be granted to the European Commission under the EU’s draft data protection regulation. While U.S. Ambassador to the EU William Kennard has welcomed the regulation saying “policy makers on both sides of the Atlantic” have an opportunity to “work together to find common success,” he also voiced concerns about the commission’s authority under the proposal to “unilaterally prescribe technical standards for data protection without the full participation of industry interests.” Kennard also noted concern about implementing the draft’s explicit consent and right to be forgotten provisions.
Full Story

SOCIAL NETWORKING

U.S. Judge Approves Facebook Settlement, Policy Voting Open (December 4, 2012)
A U.S. judge has given preliminary approval of Facebook’s proposed settlement to a class-action lawsuit claiming the company violated privacy rights, Reuters reports. The judge says the settlement, Facebook’s second attempt, “falls within the range of possible approval as fair, reasonable and adequate.” Class members and others will have an opportunity to object to the settlement before it goes to final approval. A fairness hearing is scheduled for June 28, 2013. Meanwhile, the company has opened voting for its latest proposal to change user privacy settings. The vote is open until Monday, December 10, to all Facebook users and may determine whether its roughly one billion users will have the ability to vote on privacy changes going forward; the vote is only binding if 30 percent of users participate. The Electronic Frontier Foundation and the Center for Digital Democracy have written to Facebook CEO Mark Zuckerberg urging him to “withdraw the proposed changes” as they “raise privacy risks for users, may be contrary to law and violate your previous commitments to users about site governance.”

PRIVACY LAW—U.S.

Advocates Pleased with Committee Passage of ECPA Update (December 4, 2012)

Privacy advocates are pleased with the Senate Judiciary Committee’s passage of a bill last week to close a loophole in the 1986 Electronic Communications Privacy Act, TechNewsWorld reports. The loophole allows law enforcement to view e-mail messages over 180 days old without a warrant. The ACLU’s Chris Calabrese said the bill “does exactly what we wanted it to do: have full warrant protection for all private electronic content.” The Electronic Frontier Foundation’s Lee Tien said, “Congress is sending a strong message to the Department of Justice that our digital Fourth Amendment rights don’t expire after six months.”
Full Story

SOCIAL NETWORKING—EU

Europe v. Facebook Plans Suit (December 4, 2012)

Austrian student group Europe v. Facebook has said it plans to challenge Facebook’s privacy policies in court, The New York Times reports. The group claims the social networking site’s changes to its privacy policy do not go far enough to comply with European data protection law. In recent times, the group has succeeded in petitioning the site to turn off its facial recognition feature in Europe and limit its retention of some data. But the group’s leader, Max Schrems, says the site “has done only about 10 percent of what we had asked them to do. Therefore, we are preparing to go to court.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

MP: Public and Private Organizations Should Work Together (December 4, 2012)

Senior Member of Parliament Crispin Blunt says private-sector organizations can help public agencies strike a balance between reaping the benefits of sharing data across agencies and protecting personal information, reports Publicservice.co.uk. Blunt recently chaired a Parliament event where public- and private-sector groups came together to discuss best practices in data-sharing transparency. "This is a complex issue, and we need to work with the private sector to ensure this is progressed in a cost-efficient way with the appropriate safeguards to strike the right balance of protecting the privacy of the individual and providing more cost-effective services to the general public," Blunt said.
Full Story

ONLINE PRIVACY—U.S.

Center for Internet and Society Names Director of Privacy (December 4, 2012)

Aleecia McDonald has been named the director of privacy at Stanford Law School’s Center for Internet and Society. She will “lead the center’s work at the intersection of online technologies, privacy and policy” with a focus on Do Not Track, privacy-enhancing technologies and mobile privacy, among others. McDonald has worked as a senior privacy researcher at Mozilla and as co-chair of the World Wide Web Consortium’s Tracking Protection Working Group. She told the Daily Dashboard she will also co-teach a class on privacy to Stanford Law School students and facilitate events and conferences on privacy issues as well as conduct academic research. She says she’s especially looking forward to working with peers of such a high caliber in an interdisciplinary way, which will enable a variety of perspectives on such a complicated and nuanced topic as privacy. “I just feel amazingly fortunate that I get to work on things I’m passionate about. I think right now privacy is an exceedingly interesting area and particularly interesting in terms of the public policy side. It’s getting a lot of attention that it won’t have every year,” she said. “I feel like a kid in a candy store; I get to do the cool stuff. I’m really lucky.”
Full Story

HEALTHCARE PRIVACY—U.S.

McGraw: De-Identification Guidance Good First Step (December 4, 2012)

The Center for Democracy & Technology’s Deven McGraw says the Department of Health and Human Services’ Office for Civil Rights issuance of guidance for methods of de-identifying data in healthcare records is “a good first step toward achieving a better quality, less expensive healthcare system that carries the added benefit of better protections for individual patient health records.” Meanwhile, GovInfoSecurity reports on a new Office of Inspector General report recommending the Centers for Medicare and Medicaid improve oversight of the HITECH Act’s incentive program for meaningful use of electronic health records.
Full Story

PRIVACY LAW

Conference on UN Internet Treaty Begins (December 3, 2012)
Regulators from 193 countries are in Dubai for the World Conference on International Telecommunications, and some say the discussions may threaten the future of the Internet, reports BBC News. EU Digital Agenda Commissioner Neelie Kroes tweeted, “The Internet works; it doesn’t need to be regulated by ITR treaty,” and Google representatives say the conference is a threat to the “open Internet.” But the report states that the UN International Telecommunications Union says action is needed to ensure investment in infrastructure and insists that, rather than a majority view, common ground is needed before any changes will be made to the treaty. Editor’s Note: For more on this topic, see “Privacy worries surround UN Internet regulations” from the September issue of The Privacy Advisor.

BEHAVIORAL TARGETING

Rosen: Why You Should Care About Profiling (December 3, 2012)

George Washington University Law Prof. Jeffery Rosen writes for The New York Times, “As personalization becomes ubiquitous, the segmented profiles that advertisers, publishers and even presidential candidates use to define us may become more pervasive and significant than the identities we use to define ourselves.” Rosen creates two distinctive online identities for himself on different browsers, compares the ads he sees and—through data aggregator BlueKai, which sorts consumers into market segments—views their profiles. Rosen says such profiles lead to an uneven playing field for consumers but says “there is more at stake…the possibility of not only shared values but also a shared reality becomes more and more elusive.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

App Developers, Privacy Advocates Work on Policies (December 3, 2012)

The Washington Post reports that mobile application developers and privacy advocates are collaborating to create better ways to communicate privacy policy information to users as part of a National Telecommunications and Information Administration (NTIA) initiative. The App Developers Alliance, Consumer Action, World Privacy Forum and American Civil Liberties Union together identified 12 data elements that hold the most weight with consumers and created mock-ups of screens that show highlights of privacy policies. The group will present its proposal on Friday at an NTIA meeting in Washington, DC. Meanwhile, a PrivacyChoice study has found that 20 percent of websites may sell consumers’ information and 60 percent make no commitment to deleting it. (Registration may be required to access this story.)
Full Story

CONSUMER PRIVACY—U.S.

Interim “Red Flags” Rule Narrows Coverage (December 3, 2012)

The Federal Trade Commission (FTC) has published its Interim Final Rule on identity theft “red flags.” The interim rule revises the scope of entities covered by the rule, following Congressional legislation in 2010 narrowing the definition of “creditors.” Congress directed the FTC and several banking agencies to develop regulations requiring financial institutions and creditors to develop and implement a written identity theft prevention program. Under the amended rule, creditors are only covered if they regularly obtain or use consumer reports in credit transactions; provide information to consumer reporting agencies “in connection with a credit transaction,” or advance funds “to or on behalf of a person.” A 60-day comment period and review precede the rule’s finalization.
Full Story

BIG DATA—U.S.

Congressmen To Hold Data Broker Caucus Briefing (December 3, 2012)

Congressmen Ed Markey (D-MA) and Joe Barton (R-TX) have invited nine major data brokers and the Direct Marketing Association to participate in a December 13 caucus briefing. The congressmen wrote to the brokers in July to request information about how the companies collect, sell and share customer data. The responses offered “only a glimpse” into the industry’s practices, the congressmen said in November. The December briefing aims to inform the public about the industry. “We hope to have an open and educational discussion about how data brokers operate, the benefits and potential pitfalls of industry activities and how the practices of the companies impact millions of Americans.”
Full Story

DATA LOSS—U.S.

University, Billing Company Announce Breaches (December 3, 2012)

Western Connecticut State University is notifying 235,000 students and others that their personal information may have been exposed. A vulnerability in the university’s computer system was found to have existed from April 2009 to September 2012. The at-risk information includes Social Security numbers. The university is offering up to two years of identity theft protection to those affected. Meanwhile, Advanced Data Processing has announced a data breach after an employee illegally accessed individual account information. The company learned of the breach October 1. World Privacy Forum’s Pam Dixon said the company’s handling of breach notification was “poor business practice.”
Full Story