Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

ONLINE PRIVACY—U.S.

Weitzner’s Latest Move Brings Opportunity, Criticism (March 29, 2013)
Former White House Deputy Chief Technology Officer for Internet Policy and winner of this year’s IAPP Privacy Leadership Award Daniel Weitzner recently took on the job of senior academic advisor to Hogan Lovells’ new Coalition for Privacy and Free Trade, evidence of privacy's increasing role in trade discussions, reports Mother Jones. Marc Rotenberg, president of the Electronic Privacy Information Center, says Weitzner is deserving of “a fair amount of credit” for the drafting of the lauded Consumer Privacy Bill of Rights that gives consumers more control over their data, but other privacy advocates are concerned the coalition will help big tech firms “continue to have free rein over their users' personal information.” Weitzner, for his part, says, “It's true that I worked on privacy in the administration, and I continue to work on privacy issues. But I believe really strongly that privacy tends to make progress when there are broad coalitions."

MOBILE PRIVACY—U.S.

Ninety Percent of Workers Use Personal Phone for Work (March 29, 2013)

A CITEworld report outlines the findings of a recent Cisco partners study on bring-your-own-device (BYOD) practices in the U.S. The study found 90 percent of American workers use their personal smartphones for work. Education workers reported the highest percentage of personal smartphone use at work, at 95.2 percent. The industry with the highest confidence in their BYOD readiness is the banking industry, at 53 percent.
Full Story

PRIVACY LAW—U.S.

State Privacy Legislation News: A Brief Review (March 29, 2013)

Several state legislatures—from California to Arkansas—considered an array of privacy legislation during the past week, as reported by numerous outlets. Bills covering warrantless surveillance by law enforcement, employee social media privacy protections and even a bill considering the right of farmers to not have their land captured on video are all reviewed in this brief roundup. Editor’s Note: The Privacy Tracker, a suite of services providing updates on the latest federal and state legislative activity, will host its next monthly audio conference next Thursday, April 4 at noon ET.
Full Story

ONLINE PRIVACY

Dennedy Offers Tips for Consumers (March 29, 2013)

Noting the uptick in victims of cyber attacks and the huge increase in the number of malicious smartphone applications identified last year, McAfee Chief Privacy Officer Michelle Dennedy, CIPP/US, writes for The Huffington Post about online threats to consumers. “Most consumers assume that the websites they frequent have top-notch cybersecurity and privacy controls. Rather than assume, users should do some simple investigating on the security of these sites,” Dennedy writes, offering the following tips to consumers: Change passwords often, read privacy settings and licensing agreements, avoid public or open WiFi and practice safe surfing.
Full Story

STUDENT PRIVACY—U.S.

Opinion: Critics Misinterpret FERPA Regs (March 29, 2013)

In a blog for The Washington Post, inBloom’s Steve Winnick notes “there has been much discussion regarding the privacy and use of student data and the role of the Family Educational Rights and Privacy Act (FERPA),” suggesting, “Data-driven instructional technology has been available in classrooms for over a decade” and FERPA provisions allow the disclosure of student records. In the wake of concerns about student privacy, Winnick writes, “inBloom has adopted data privacy and security protections that meet the highest industry standards, exceed FERPA requirements and are designed to ensure that student data are used only for agreed-upon education purposes and not further disclosed. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CANADA

Supreme Court: Warrant Needed for E-mails, Texts (March 28, 2013)
Canada’s Supreme Court has ruled that police need to obtain a judicial warrant prior to accessing an individual’s electronic communications, The Globe and Mail reports. In a 5-2 majority, the justices invalidated a general warrant obtained by an Ontario police investigation in 2010 that required Internet provider Telus to disclose stored text messages and future electronic communications of three suspects. The court ruled the police should have obtained a judicial wiretap authorization. “Technical differences inherent in new technology should not determine the scope of protection afforded to private communications,” said Justice Rosalie Abella. Scott Hutchison, a lawyer representing Telus, said, “The court is saying that the fact a communication takes a particular form cannot deprive it of its private nature.”

HEALTHCARE PRIVACY—U.S.

HIPAA Provision Commonly Misunderstood (March 28, 2013)

The New York Times highlights one patient’s account of a HIPAA-related incident to illustrate ways in which the law is misunderstood. The woman’s sister was not allowed to accompany her to an examining room, despite her pleas to the contrary. However, HIPAA “doesn’t prevent healthcare professionals from sharing relevant information with family members unless the patient specifically objects,” writes Paula Span. Meanwhile, the U.S. Department of Health and Human Services is investigating allegations that a Pennsylvania 911 dispatch center shared information protected under HIPAA with a former police chief via e-mail. The current police chief says the breach extends beyond a singular case and individuals wrongly had access to the call database. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

Judges Concerned Over “Stingray”; FBI Seeks More Power (March 28, 2013)

The use of a surveillance system, “Stingray,” which simulates a cellphone tower to enable authorities to locate individual cellphones, has some judges expressing concern over the invasiveness of the technology, reports The Washington Post. There are two main concerns, judges and activists say: “whether federal agents are informing courts when seeking permission to monitor suspects, and whether they are providing enough evidence to justify the use of a tool that sweeps up data not only from a suspect’s wireless device but also from those of bystanders in the vicinity.” Meanwhile, the FBI is making it a “top priority” to gain more power to tap into all forms of Internet communications and cloud storage, reports Slate. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—GERMANY & U.S.

Corporate Privacy Practices Surprisingly Similar (March 28, 2013)

In the second of a series of blog posts for the IAPP’s Privacy Perspectives, Profs. Deirdre Mulligan and Kenneth Bamberger write of their research, “The two countries in which privacy officers were most empowered, and most involved in shaping firm strategy, couldn’t be more different in terms of their regulatory substance and form—Germany and the U.S.” They note that the results are “especially startling, because in global debates the German legal commitment to privacy protection is frequently held up as representing one end of the spectrum (strongest), while the U.S. approach is placed at the other.” In the post, Mulligan and Bamberger delve into why “a few elements of the German scene stand out in explaining some of the similarities.”
Full Story

CYBERSECURITY—UK

Gov’t To Partner With Industry on Cyber Threat Info (March 28, 2013)

ComputerWeekly reports that the UK government has unveiled plans to work with industry to share cyber-threat information. The Cyber Security Information Sharing Partnership (CISP) features a virtual “collaboration environment” portal where government and business can securely share intelligence on cyber threats and vulnerabilities. The initiative also has the support of the Obama administration. Former White House Cyber Security Advisor Howard Schmidt said, “U.S. experience has shown the importance of leadership in business in fighting cyber threats, and that is why the UK CISP is important and will succeed.” Editor’s Note: The breakout session Cyber Attacks: Legal Implications for Financial Institutions will be part of the IAPP Data Protection Intensive in London, UK, April 23-25.
Full Story

PRIVACY LAW—EU

Opinion: EC Proposal Will “Stifle Innovation” (March 28, 2013)

Wired reports that James Leaton Gray, head of information policy and compliance at the BBC, recently warned attendees of an e-privacy seminar that the European Commission, in writing its data protection proposal, is playing catch-up with technology instead of creating a scalable system that looks toward the future. Gray said the regime will “stifle innovation. I know it's not intending to—but it's thinking about the present world, not the future world. We have to get used to the idea that the TV set is going to be the computer of the future—people will sit in front of it, interacting, it will be gesture-based.” He acknowledged specific challenges like getting consent from the “thousands of channels you use.” Editor’s Note: This year’s IAPP Data Protection Intensive features several panels exploring the latest developments on the proposed General Data Protection Reform.
Full Story

DATA PROTECTION—UK

ICO May Get Audit Powers; 80 Percent of ICO Fines Self-Reported (March 27, 2013)
Out-Law.com reports that the UK Ministry of Justice has opened a consultation on making public health organizations subject to compulsory data protection audits by the Information Commissioner’s Office (ICO). Currently, the ICO has powers to audit central government departments but must obtain consent from other public bodies prior to an audit. And a new Field Fisher Waterhouse (FFW) report has found that 84 percent of the fines issued by the ICO in 2012 were handed down to organizations that self-reported a breach. FFW Partner Stewart Room, CIPP/E, said, “The likelihood is that many controllers will be deterred from coming forward due to fears of fines and the absence of positive incentives.” Room added, “organizations who come forward should be treated similarly to those who undergo an audit.” Editor’s Note: Room will speak in more detail about these findings next month at the IAPP’s Data Protection Intensive in London. Download the full report here.

DATA PROTECTION—ASIA PACIFIC & EU

EU and APEC Working Towards Data Transfer System (March 27, 2013)

Hunton & Williams’ Privacy and Information Security Law Blog reports on the Article 29 Working Party’s (WP29) press release outlining efforts made to promote cooperation between EU and Asia-Pacific Economic Cooperation group (APEC) data transfer systems. A joint EU-APEC committee has been comparing the EU’s binding corporate rules framework and APEC Cross-Border Privacy Rules with a goal of creating “practical tools, including a common referential, for those multinational companies that have data collection and/or processing-related activities in both the European Union and APEC region,” the press release states. The WP29 and APEC are expected to adopt a roadmap in the coming months in order to continue their work in this area.
Full Story

PRIVACY LAW—EU

Debates Around Proposed Regs Heat Up (March 27, 2013)

Stakeholders across the spectrum are voicing their opinions of the European Commission’s proposed data protection regulation. The Irish presidency recently published an update to the European Council of Ministers on its progress with the proposed framework, highlighting the presidency’s aim to instill a more risk-based approach, Hunton & Williams’ Privacy and Information Security Law Blog reports. In a press release, EU Justice Commissioner Viviane Reding and Telefonica’s Ronan Dunne stressed the significance of the proposed reform, while UK Information Commissioner’s Office Deputy Information Commissioner David Smith has promoted a “proportionate” take on it. TechWeekEurope has also reported that an EU source has said that UK government lobbying efforts to minimize privacy protections in the proposed regulation will not succeed. Meanwhile, GlaxoSmithKline’s Mina Mehta cautioned the reforms do not take into account the implications placed on smaller businesses. Editor’s Note: Two representatives from the UK’s ICO will speak at the IAPP’s Data Protection Intensive in London, April 23-25, and Mehta will speak in the breakout session To Be, or Not To Be Personal Data.
Full Story

ONLINE PRIVACY

Facebook Wants DPAs Back In; Adds New Targeted Ads (March 27, 2013)

As Facebook CPO for Policy Erin Egan discussed at the IAPP Global Privacy Summit, the company introduced yesterday targeted ads to its newsfeed that utilize a customer’s past browsing history, known as Facebook Exchange. Financial Times notes that this move raises new privacy fears. The news comes as Facebook wades further into the debate over the EU’s draft data protection regulation, with company officials telling EUObserver that some language could be a “huge disincentive for the companies to comply.” Further, Facebook strenuously supports the current role of DPAs heading up enforcement.
Full Story

PRIVACY LAW—PERU

Peru Issues Data Protection Regulations (March 27, 2013)

Peru this week issued the implementing regulations of its new data protection law. Hunton & Williams’ Privacy and Information Security Law Blog reports the regulations provide rules on territorial scope, notice and consent, data transfers, processing of personal data relating to children and adolescents, data subjects’ rights and registration of databases, among others. Allende & Brea Attorney Pablo Palazzi notes, “The enactment is very important because Colombia is also working in the regulations of its data protection law.”
Full Story

SMART GRID—U.S.

Judge: Privacy Concerns “Unfounded” in Smart Meter Case (March 27, 2013)

Judge John Lee has dismissed a federal lawsuit filed by the Naperville Smart Meter Awareness Group against the City of Naperville. Lee’s 24-page ruling stated the group “did not pursue any state remedies prior to filing a lawsuit in federal court” and that the city “has precautions in place to guarantee that electric usage data gathered from meters for the purposes of running the utility will not be shared without consumer consent.” The ruling also stated privacy concerns were “unfounded,” as there was no proof consumer data was being collected or used without consent, Positively Naperville reports.
Full Story

SURVEILLANCE—UK

UK Proposals Would Require Vast Data Collection (March 27, 2013)

British security services say advances in technology have made tracking criminals increasingly difficult, Stuff.co.nz reports. In response, Britain is proposing surveillance laws that would require communications firms to collect and store vast amounts of data. The proposals have drawn the ire of human rights advocates and major corporations alike. A spokesman from Privacy International says companies’ disclosure of user data for police investigations isn’t the issue: "The problem is the Home Office want much more than that. They want these companies to record these activities just in case at some point in the future I may become a suspect. That's not the way things work in a democratic society."
Full Story

GEO PRIVACY

Report: Location Data Creates “Fundamental Constraints” on Privacy (March 26, 2013)
BBC News reports on a new study revealing that patterns of human movement are predictable enough to identify a specific smartphone user from four data points. The Scientific Reports study analyzed 15 months of human mobility data on 1.5 million users. In an age of ubiquitous mobile phone usage, aggregated datasets are coveted by advertisers, help map emergency services and fuel a new generation of social scientists. The report concludes, however, that “even coarse datasets provide little anonymity” to users. “These findings represent fundamental constraints to an individual’s privacy and have important implications for the design of frameworks and institutions dedicated to protect the privacy of individuals,” the study states.

DATA LOSS—NEW ZEALAND

Earthquake Commission Breach Affects 10,000 (March 26, 2013)

Earthquake Commission (EQC) Chief Executive Ian Simpson has offered to resign over a massive privacy breach in which an EQC staffer sent a spreadsheet containing details on nearly 10,000 claims to a third party, Stuff.co.nz reports. Privacy Commissioner Marie Shroff says she expects some complaints as affected individuals are notified, and she is considering writing to public-sector CEOs in an effort to prevent future breaches. “We hope that agencies are starting to realize that they should have stronger controls in place to help to prevent these types of mistakes,” Shroff said. “But they clearly have a way to go yet."
Full Story

CONSUMER PRIVACY—U.S.

Brill: Commission To Stay On Privacy Pursuits (March 26, 2013)

Federal Trade Commissioner Julie Brill says she does not expect any “major surprises” under the leadership of Chair Edith Ramirez, Bloomberg BNA reports. Speaking at a recent event, Brill said the commission will continue to stay active on initiatives involving privacy. “I do think the commission will probably stay on roughly the same course that we’ve been on for the past three to four years.” Ramirez has indicated her priorities include enforcement of the Children’s Online Privacy Protection Act, and Brill noted Ramirez’s expressed interest in a new study on the Internet of Things, on which the commission aims to release a report later this year.
Full Story

PRIVACY LAW

Commerce’s Kerry: Privacy Regulation Should Not Be Barrier to Trade (March 26, 2013)

General Counsel for the U.S. Department of Commerce Cameron Kerry keynoted a well-attended data privacy seminar in his home state of Massachusetts yesterday. Kerry advocated for the fundamental underpinnings of U.S. President Barack Obama’s Consumer Privacy Bill of Rights and the general privacy blueprint he’s helped craft as co-chair of the Internet Policy Task Force and the National Science and Technology Council’s Subcommittee on Commercial Data Privacy but also expressed concerns about ways that EU privacy legislation may hinder efforts at interoperability by proposing things that are not technologically or commercially feasible.
Full Story

DATA LOSS—U.S.

PHI of 2,600 Clinic Patients Missing (March 26, 2013)

A Utah-based medical clinic has sent out notification letters after discovering 2,600 appointment records slated to be shredded instead went missing, HealthITSecurity reports. The records included names, appointment dates, reasons for the visits and internal medical numbers. Addresses, Social Security numbers and financial information were not among the misplaced data. The clinic has reported the incident to the Department of Health and Human Services and expects to undergo an investigation, a clinic representative said. Health breaches in Utah “have even more weight” after two large breaches that affected the Utah Department of Health within the past year, the report states.
Full Story

DATA PROTECTION

Westerman: Privacy Pros Need To Be Trust Pros (March 26, 2013)

In the first in a series of blog posts for the IAPP’s Privacy Perspectives, Create With Context CEO Ilana Westerman writes, “Businesses should stop focusing on privacy and start focusing on trust” and notes that fostering trust “will create value and revenue” for companies. Privacy professionals should become trust professionals, she notes, adding, “Privacy and trust are two sides of the same coin but lie at opposite ends of the emotional spectrum.”
Full Story

BIG DATA

Opinion: Is Anonymization Possible? If Not, Then What? (March 26, 2013)

Anonymization is intended to allow businesses to collect and use huge amounts of information while minimizing risks to consumers if, for example, a developer’s database gets hacked. But some studies say true anonymization is not possible. David Meyer opines in GigaOM that this level of data collection is not going to stop, “so we need to develop workable guidelines for protecting people. Those developing data-centric products also have to start thinking responsibly—and so do the privacy brigade. Neither camp will entirely get its way: There will be greater regulation of data privacy, one way or another, but the masses will also not be rising up against the data barons anytime soon.”
Full Story

ONLINE PRIVACY—U.S.

Big Tech Firms Tighten Up on Privacy (March 25, 2013)
As the Federal Trade Commission steps up efforts to hold vendors responsible for protecting personal information, Apple and others are ramping up privacy protections. Apple has introduced two-factor authentication for purchases on its platforms and announced a change from its Unique Device Identifier (UDID) to the Identifier for Advertisers system (IFA), reports CSO. The IFA is a random, impermanent number that cannot be used to identify the device user, unlike the UDID. Meanwhile, Google is shuttering its Google Reader service in efforts to avoid future privacy mishaps, according to one report, and Mozilla is changing its Persona privacy policy to better reflect its practices. The company says it noticed “we claimed we were retaining data which, in fact, we do not retain.”

SURVEILLANCE—U.S.

Bloomberg: CCTV, Drones Will Be Everywhere (March 25, 2013)

New York City Mayor Michael Bloomberg has said that within the next five years, “We’re going to have more visibility and less privacy,” the New York Daily News reports. He noted that cameras and drones will soon be present within the city. “You wait; in five years, the technology is getting better,” he said, suggesting there will “be cameras everyplace…whether you like it or not.” The New York Civil Liberties Union has documented approximately 2,400 public cameras in Manhattan. “It’s scary,” Bloomberg said. “But what’s the difference whether the drone is up in the air or on the building?” He added, “People are working” on facial recognition software for the cameras as well. “It’s just we’re going into a different world, unchartered.”
Full Story

CONSUMER PRIVACY—U.S.

Bed Bath & Beyond May Face ZIP Code Class Action (March 25, 2013)

A complaint has been filed in the U.S. District Court in Boston, MA, against Bed Bath & Beyond for collecting consumers’ ZIP codes, The Boston Globe reports. The complaint seeks class-action status and comes a week after the Massachusetts Supreme Judicial Court ruled that retailers may not require consumers to disclose their ZIP codes when making purchases. According to complainant Melissa Tyler—the same resident who sued Michaels Stores on similar grounds—Bed Bath & Beyond is violating the state’s consumer privacy laws by collecting the ZIP codes and using them to send out junk mail. Tyler estimates the “amount in controversy in excess of $5 million,” the report states. Editor’s Note: Registration is now open for the IAPP web conference Successful Strategies for Winning and Avoiding Privacy Class-Action Lawsuits, airing, Wednesday, April 17.
Full Story

BIG DATA

Privacy Backlash Could Hurt Benefits, Some Say (March 25, 2013)

The New York Times reports on the potential benefits and privacy concerns of Big Data. “Much as the microscope allowed scientists to examine the mysteries of life at the cellular level,” Big Data, some say, will open the door to making smarter decisions across industry sectors, while others worry about the advent of the new Big Brother. A World Economic Forum report—spawned from a workshop of government officials, privacy advocates and business executives—offers one path “that leans heavily on technology to protect privacy.” Meanwhile, the healthcare industry is showing interest in Big Data to help with patient outcomes and lower healthcare costs, but one expert worries about the re-identification of personal health records. (Registration may be required to access this story.)
Full Story

STUDENT PRIVACY—U.S.

Parents, Advocates in NY, Lawmaker in AZ Concerned (March 25, 2013)

The Village Voice reports on concerns about a New York initiative to make students’ personal information—including disciplinary and attendance records as well as testing information, addresses, phone numbers and birth dates—available to third parties. “The New York State Education Department says that districts have been sharing this kind of information for nearly a decade and that the new initiative simply enables that data to be shared in a safer, more efficient fashion,” the report states. One councilman has responded, “Our children are not commodities. They are not something to be bought and sold on the market place.” Meanwhile, an Arizona state senator wants state-level penalties created for Family Educational Rights and Privacy Act violations.
Full Story

GENETIC PRIVACY—U.S.

Opinion: The Afterlife of Cells in Research (March 25, 2013)

Peter Lipson discusses in Forbes the ethics and privacy issues related to the use of Henrietta Lacks’ cells after her demise from cancer and how their use affects her descendants. Doctors harvested Lacks’ cells decades ago without her consent, and they became the basis for a revolution in cell research. “With advances in genomics, the privacy question” for Lacks’ “descendants is very real,” writes Lipson. “Mrs. Lacks’ genomic information can tell us a great deal about her descendants…A genome is analogous to a diary in that it contains a great deal of personal information that does not automatically become property of the community after death.”
Full Story

ONLINE PRIVACY

Microsoft Discloses Requests for Data (March 22, 2013)
Microsoft joined the likes of Google and Twitter yesterday in releasing a report on its response to—along with the number and type of—requests for information it has received from law enforcement bodies around the globe. The UK, France, Germany, Turkey and the U.S. accounted for 69 percent of the 70,665 requests received last year, noted a summary of the report in The New York Times, and anyone is free to peruse the data in either pdf or Excel format. Eighty percent of requests resulted in disclosure of “non-content” information, such as name and e-mail address, while 2.2 percent resulted in the handover of customer content as well. Requests affected customers using such services as Hotmail/Outlook.com, Xbox Live and Office 365.

PRIVACY LAW—EU

Officials Weigh In on Proposed Regs (March 22, 2013)

The Hunton & Williams’ Privacy and Information Security Law Blog outlines the views of European legislators on the proposed EU data protection legislation, as voiced in legislative deliberations held by the Committee on Civil Liberties, Justice and Home Affairs (LIBE). Comments made by Albrecht, Voss, Ludford, Le Bail, Kohnstamm and Hustinx are all summarized. Another post further explores European Data Protection Supervisor Peter Hustinx’s views outlined in a letter he sent to the chair of LIBE. EU Justice Commissioner Viviane Reding has set a July goal for reaching a political agreement on the regulation, Total Telecom reports, but one EU official says some member countries believe a slow pace is appropriate for these highly technical negotiations.
Full Story

PRIVACY LAW—U.S.

Plaintiffs: “Leave Case Intact” (March 22, 2013)

Law360 reports that plaintiffs in a proposed class-action suit over a Sony data breach have “urged a California federal court to leave their case intact despite the U.S. Supreme Court’s recent Clapper ruling, which could limit suits by individuals who can’t prove their data was used.” The ruling in Clapper v. Amnesty International “denied a right to sue by individuals who concede that they have no evidence that they have been subjected to surveillance,” Forbes reported, “consistent with a long line of cases that have insisted on evidence of injury before a suit can go forward, particularly when the suit implicates national security concerns.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

GPS Act Reintroduced (March 22, 2013)

Sens. Mark Kirk (R-IL) and Ron Wyden (D-OR) and Rep. Jason Chaffetz (R-UT) have reintroduced the Geolocation Privacy and Surveillance or GPS Act to require law enforcement to obtain warrants before collecting location data from phones or other devices, the Daily Herald reports. “The law would make exceptions for cases of emergencies or national security but would extend warrant requirements to acquisition from commercial service providers and government tracking devices,” the report states. Speaking in support of the GPS Act, Kirk said, “Congress should set a clear legal standard to safeguard your digital privacy.”
Full Story

DATA RETENTION—U.S.

HIV Database Could Violate Law (March 22, 2013)

FierceHealthIT reports that Michigan Department of Community Health’s retention of data on individuals who “test for HIV at federally funded clinics” could violate state law. While a provision in the health code requires destruction of such data after 90 days, local health departments have been required “to enter that data into the state's HIV Event System, where the data is kept indefinitely,” the report states. A former state representative who helped pass the law said the intent “was to encourage people to know what their status was but also to protect people's privacy… It's not just the (privacy) violation; it's the fact they're keeping this data that it was never the intent of the legislature that they keep.”
Full Story

PRIVACY—U.S.

Let’s Go to the Video (March 22, 2013)

A pair of videos were circulating the web this week—one featuring Rep. Louis Gohmert (R-TX) and Google Law Enforcement and Information Security Director Richard P. Selgado and the other Central Intelligence Agency Chief Technology Officer Ira “Gus” Hunt—that might get you thinking about the U.S. federal government’s relationship with the privacy profession. In one instance, a lawmaker seems to have difficulty understanding the technology that underpins privacy applications, and in another, a powerful government representative discusses his agency's use of data maximization with unlimited retention. Watch what they have to say and leave your comments on the IAPP’s Privacy Perspectives blog.
Full Story

PRIVACY LAW—U.S.

Opinion: It’s Time for an Update (March 22, 2013)

Marvin Ammori and Luke Pelican write for POLITICO on concerns from companies outside the U.S. regarding the nation’s privacy laws. “In February, a Canadian technology company launched a new product, declaring it to be the solution for all legitimate businesses that have a ‘fear of data privacy and U.S. PATRIOT Act issues.’ European companies including Germany’s Deutsche Telekom and France’s Bull SAS similarly market themselves across the world as privacy-conscious alternatives to any American cloud company,” the authors write, suggesting these are “not exceptions but the rule.” The authors contend the time has come to update U.S. privacy legislation.
Full Story

DATA PROTECTION—UK

New EU Regs May Mean 42.8m GBP Bill for UK (March 21, 2013)
With the onset of the new EU data protection regulations, the Information Commissioner’s Office (ICO) workload is expected to increase exponentially. Belfast Telegraph reports that Members of Parliament are now warning that this—combined with the elimination of some fees—could lead to a 42.8 million GBP funding gap to be shouldered by taxpayers. A major source of the ICO’s funding comes from fees required by the Data Protection Act 1998, but the data controller registration fee and a notification fee have been abolished in the new regulation. Justice Committee Chair Sir Alan Beith said, "Taxpayers will have to pick up the tab...unless the government can find a way of retaining a fee-based self-financing system."

EMPLOYEE PRIVACY—U.S.

Pharmacy Healthcare Policy Has Some Crying Foul (March 21, 2013)

ABC News reports on a new employee policy by CVS Pharmacy that requires all of the nearly 200,000 employees using its health plan to submit personal health data—including their weight, body fat and glucose levels—or pay a monthly penalty. No increase in health rates will affect those who disclose the information. Patient Privacy Rights Founder Deborah Peel said, “The approach they’re taking is based on the assumption that somehow these people need a whip, they need to be penalized in order to make themselves healthy,” and added, “It’s technology-enhanced discrimination on steroids.” CVS noted the plan is voluntary and that it would not see the test results. “The goal of these kinds of programs is to end up with a healthier workforce,” one expert said.
Full Story

PRIVACY LAW—FRANCE

CNIL Publishes 2013 Inspection Targets (March 21, 2013)

Following the 458 on-site inspections it carried out in 2012, the French data protection authority’s (CNIL) annual program for 2013 was published this week. Bird & Bird reports that the CNIL’s objective is to achieve approximately 400 inspections, with one-quarter related to CCTV systems and one-third reserved for the investigation of complaints received. “With respect to the CNIL 2013 program, there is a persistent interest from the CNIL for CCTV systems,” explained Bird & Bird's Gabriel Voisin. “However, operators will be pleased to see that the French data protection authority seems to have no appetite for enforcing the new cookie requirements.”
Full Story

SURVEILLANCE—U.S.

Laws Need Update for Drones, Experts Tell Senate (March 21, 2013)

The expected boom in domestic, commercial drone use could pose serious data-gathering and privacy challenges to American citizens, experts told a Senate panel yesterday, the Associated Press reports. Current privacy safeguards from aerial surveillance are based on court decisions in the 1980s, the Judiciary Committee was informed. Sen. Diane Feinstein (D-CA) said the expected job creation from the technology “is a very seductive thing,” but the government should “decide for which purposes drones can be legitimately used.” And University of Washington Law Prof. Ryan Calo said if citizens’ privacy concerns are not first addressed, the “transformative” potential of drone technology may not come to fruition.
Full Story

MOBILE PRIVACY—U.S.

Fighting Search in the West, Tracking in the East (March 21, 2013)

In both California and Maine, groups are pushing to restrict the ability of law enforcement to use cell phone data without a warrant. TechCrunch reports the ACLU has filed suit against the county of San Francisco to try to keep anyone from searching phones without a warrant, claiming such searches violate the California Constitution. In Maine, the Judiciary Committee held a hearing on Assistant Senate Republican Leader Roger Katz’s bill requiring police to get a warrant before accessing data from electronic devices in most cases. But the head of the Maine Attorney General’s Criminal Division says the requirement could mean “this valuable investigative tool may become unavailable in most cases.”
Full Story

PRIVACY LAW—U.S.

Surveillance Case Leads Federal Developments (March 21, 2013)

In an active month of privacy developments at the federal level, news is led by the U.S. Supreme Court’s decision that plaintiffs challenging the Foreign Intelligence Surveillance Act Amendments as unconstitutional did not have standing to sue as they could not show a present or threatened injury. This month’s IAPP Privacy Tracker also has updates and analysis on President Barack Obama’s Cybersecurity Executive Order, ECPA reform, Do-Not-Track legislation, a bipartisan Drone Privacy Bill and much more. Editor’s Note: Tracker subscription is needed to read this piece.
Full Story

DATA LOSS—U.S.

Breaches Affect DOE, Xbox; Higher Ed Hit Hard in 2012 (March 21, 2013)

Federal authorities are investigating an alleged breach affecting the personal information of approximately 12,000 Savannah River Site workers, The Augusta Chronicle reports. A U.S. Department of Energy official said, “Initial indications are that this disclosure was not the result of a cyberintrusion and no classified data was compromised.” In a separate incident, Xbox Live subscribers have been assured by Microsoft that their accounts have not been compromised after it was discovered that the names and e-mail addresses of nearly 3,000 users were accidentally leaked online. Meanwhile, one report states that higher education data breaches were at a near-record high in 2012.
Full Story

MOBILE PRIVACY—U.S.

MTA To Collect Cab Data; Vulnerability Discovered (March 21, 2013)

San Francisco’s Municipal Transportation Agency voted Tuesday to require taxi companies and drivers to cooperate with a plan to collect electronic data from cabs. It will then share  the data with developers to create cab-hailing apps in an attempt to help the taxi industry compete with ride-share firms, reports San Francisco Chronicle. Some drivers say the plan would violate their privacy and that of their passengers if location and fare data is stored electronically. Meanwhile, two UC Berkeley grad students found a glitch in the T-Mobile “WiFi Calling” feature that would allow others to listen in on or modify calls and text messages sent through the system. T-Mobile says it has sent a security update to all affected customers.
Full Story

PRIVACY

A Quick Guide to the DPI (March 21, 2013)

With three full days of programming, the IAPP’s Data Protection Intensive, happening April 23 through 25 in London, may look nigh-on-impenetrable, but members of the IAPP publications team will be gathering the news of what happens and have compiled this quick-reference guide to help focus your energies while there, whether you’re looking to better manage your risk, better understand the upcoming privacy landscape or network and get to know your fellow privacy pros better.
Full Story

PRIVACY LAW—U.S.

ECPA Reform Consensus Grows; Legislation Introduced (March 20, 2013)
Consensus to update the Electronic Communications Privacy Act (ECPA) to require law enforcement to obtain a warrant prior to accessing an individual’s e-mail is growing among lawmakers, government officials, industry representatives and privacy advocates, The Hill reports. Rep. Jim Sensenbrenner (R-WI) said the current version of ECPA is “outdated and probably unconstitutional,” while a Justice Department official said requiring a warrant has “considerable merit.” Sens. Patrick Leahy (D-VT) and Mike Lee (R-UT) introduced legislation on Tuesday to better protect digital privacy rights within ECPA. Leahy said, “we must update this law to reflect new privacy concerns and new technological realities…This bill takes an essential step toward ensuring that the private life of Americans remains private.”

CONSUMER PRIVACY—UK

ICO Levies 90,000 GBP Fine for Nuisance Calls (March 20, 2013)

The UK Information Commissioner’s Office (ICO) has fined a private-sector company 90,000 GBP for “thousands of unwanted marketing calls.” According to an ICO press release, this is the first time the agency has issued a monetary penalty for violations of the Privacy and Electronic Communications Regulations in relation to live marketing calls. Glasgow-based DM Design has been issued the fine for failing to check whether consumers had opted out of receiving marketing calls. ICO Commissioner Christopher Graham said the fine “sends out a clear message to the marketing industry that this menace will not be tolerated." In an exclusive for The Daily Dashboard, Field Fisher Waterhouse's Stewart Room, CIPP/E, explains why this is a significant development. Editor’s Note: Room will speak at the IAPP Data Protection Intensive next month in London, UK.
Full Story

GEO PRIVACY—U.S.

Feds Seek Warrantless GPS Tracking Rights (March 20, 2013)

The Obama administration is arguing before a federal appeals court that government authorities should not need a warrant to place GPS tracking devices on suspects’ vehicles, Wired reports. The move comes a year after the Supreme Court ruled that government authorities did not have that right. According to CNET News, the administration believes last year’s ruling does not account for all scenarios. “This case is the government’s primary hope that it does not need a judge’s approval to attach a GPS device to a car,” said the ACLU’s Catherine Crump. She will be part of the proceedings in the 3rd U.S. Circuit Court of Appeals in Philadelphia, PA.
Full Story

DATA LOSS—U.S.

EHR Vendor Reports Breach (March 20, 2013)

A Massachusetts electronic health records (EHR) vendor has announced a breach affecting six medical practices, GovernmentHealthIT reports. Lawrence Melrose Medical Electronic Record, Inc., will report to the Office for Civil Rights that an employee inappropriately accessed patient data. A letter to the New Hampshire Attorney General’s Office stated that two NH residents’ medical records were exposed, and it is unknown how many patients in Massachusetts were involved. The company has sent letters to those affected and is in the process of enhancing privacy and data security measures in response to the incident.
Full Story

PRIVACY LAW—U.S.

Apple May Face Sanctions in Lawsuit (March 20, 2013)

Bloomberg reports that Apple may face penalties for its data-sharing practices in a privacy lawsuit. The company’s attempt to have the case dismissed was overruled on March 7. At a hearing yesterday, U.S. Magistrate Judge Paul S. Grewal gave plaintiffs’ lawyers the go-ahead to pursue sanctions against Apple for failing to produce documents in a geolocation lawsuit. An Apple representative said the company has made “Herculean efforts over the last two weeks” to solve the issue.
Full Story

PERSONAL PRIVACY—U.S.

Advocates: Say No to ZIP Code Requests (March 20, 2013)

NBC News reports on a request many of us hear when we arrive at checkout counters; “May I have your ZIP code, please?” Privacy advocates recommend, “Just say no.” Sharing ZIP codes can result in an influx of junk to your home mailbox “and more telemarketers disrupting your day,” the report states. To date, high courts in both Massachusetts and California have ruled ZIP codes are PII. “Obviously, if I go into a store and I make a purchase, I don’t expect—unless I sign up for a mailing list—that I’m going to start receiving catalogs,” one advocate said.
Full Story

ONLINE PRIVACY

Weigend: Big Data=Big Oil (March 20, 2013)

IAPP Data Protection Intensive Keynote Speaker Andreas Weigend knows Big Data. As former chief scientist at Amazon and now consultant on social and mobile technologies to global firms like Best Buy and Nokia, he’s working daily with firms to help them navigate what he calls the Social Data Revolution. “Big Data is a mindset,” he said in an interview with The Privacy Advisor. “It’s really how you think about interacting with data; it’s the questions you’re asking and the response time of getting answers and refining the questions.”
Full Story

SMART GRID—U.S.

Opinion: Privacy Issues Will Get More Contentious (March 20, 2013)

John Paul Titlow writes for ReadWrite about the privacy issues expected to come with the conveniences and cost-savings of “smart homes,” noting, “You think digital privacy is a contentious issue now, just wait.” The level of detail in smart home data combined with increased government requests for data from ISPs and mobile carriers should rouse customers, Titlow writes, “Because those very same firms are now selling smart home products that will allow them to collect more data about our lives than ever before.” While there aren’t any known cases of smart home customers experiencing privacy intrusions, Titlow says as this technology becomes more widely adopted, we can expect to hear about them.
Full Story

ONLINE PRIVACY—U.S.

White House Changes Tune on Some E-mail Surveillance (March 19, 2013)
The Obama administration is easing up on its insistence that law enforcement should be able to access Americans’ e-mail communications without a warrant, but the Justice Department is issuing new proposals that would allow the government to have expanded surveillance rights over e-mails and Twitter and Facebook direct messages, CNET News reports. Electronic Frontier Foundation Staff Attorney Hanni Fakhoury said, “It’s like two steps forward and two steps back…I question how much they’re really conceding.” In an op-ed for POLITICO, Grover Norquist of Americans for Tax Reform and the ACLU’s Laura Murphy announced the launch of Digital 4th, proposing that all private communications stored online should have the same Fourth Amendment rights as any materially stored documents.

TRAVELERS’ PRIVACY—U.S.

Court Puts Limits on Digital Search at Border (March 19, 2013)

The U.S. Court of Appeals for the Ninth Circuit has voted to put limits on electronic searches at the border, ruling that customs agents must suspect criminal activity in order to conduct a "forensic examination" of a laptop hard drive, reports The Huffington Post. While manually browsing desktop files is still permitted, the court voted 8-3 that techniques such as copying data, password cracking and recovering deleted files are in violation of the Fourth Amendment, stating a "person's digital life ought not be hijacked simply by crossing a border." The minority dissenters said the decision amounts to an unworkable rule that could jeopardize border security, the report states.
Full Story

HEALTHCARE PRIVACY—U.S.

New HIPAA Regs Create Challenges (March 19, 2013)

New Health Insurance Portability and Accountability Act (HIPAA) regulations are causing healthcare providers to look for guidance on how they will affect business, Reuters reports. Nixon Peabody’s Linn Freedman says provisions of particular concern are those that extend the scope of HIPAA to business associates, allow patients to withhold information from their health plan by paying for services in full and assume incidents to be breaches until proven otherwise by providers. The regulations take effect March 26, and providers have until September 23 to comply.
Full Story

PRIVACY LAW—THE NETHERLANDS

Dutch Parliamentarian Questions Drone Use (March 19, 2013)

Police in The Netherlands are increasingly using remote-controlled helicopters to trace burglars and ferret out illegal marijuana crops, but now D66 Parliamentarian Gerard Schouw has asked the Justice Ministry to explain the implications of the use of these drones on privacy, reports DutchNews.nl. Further, Vincent Böhre of the group Privacy First has declared their use illegal, saying it’s a form of camera supervision prohibited by Dutch law.
Full Story

FINANCIAL PRIVACY—U.S.

Does Legislation Lag Behind Mobile Wallet Tech? (March 19, 2013)

McClatchy reports that mobile wallet technology now allows consumers to pay for things with their phones--even just their voices--and payments in the U.S. could jump from $12.8 billion in 2012 to $90 billion in 2017, according to Forrester research. But privacy advocates say legislation is not keeping up with the technology. “At the end of the day, this is about exposing your financial behaviors to a daisy chain of financial and other marketers who will have a very detailed understanding of where you are, where you spend your time and how you buy,” said Jeffrey Chester of the Center for Digital Democracy.
Full Story

BIG DATA—U.S.

Shining a Light on Data Brokers (March 19, 2013)

ProPublica reports on the consumer data industry and the types of information that are collected, processed and sold. Some businesses collect lists of individuals undergoing “life-event triggers”—such as buying a home or having a child—while others profile people’s hobbies or salary and paystub information. The report also looks into the sources of such information. “You have the right to review and correct your credit report,” the article states, “But with marketing data, there’s often no way to know exactly what information is attached to your name—or whether it’s accurate.” To illustrate the flow of consumer information from purchase to advertising, AdvertisingAge has published an interactive map outlining various data flows. The FTC recently said it will ramp up enforcement of those “who share online data sloppily.”
Full Story

MOBILE PRIVACY—U.S.

Old: Sex Education; New: The Technology Talk (March 19, 2013)

As mobile devices become ubiquitous among the teen and pre-teen crowd, advocates are working to raise awareness amongst parents that they need to discuss privacy and safety issues with their children. The problem, Dale Harkness, tech director at Richmond-Burton Community High School in Richmond, IL, told The Dallas Morning News, is that actions “get documented, replayed and sent around.” And many app developers make that ever easier.
Full Story

PRIVACY

Firm Launches Privacy and Free Trade Coalition (March 18, 2013)
In light of upcoming trade negotiations between the U.S. and EU and plans by Japan to join the Trans Pacific Partnership, Hogan Lovells has launched the Coalition for Privacy and Free Trade. The coalition intends to address non-tariff trade barriers brought on by differing data protection regimes and to promote global interoperability, Hogan Lovells’ Chronicle of Data Protection reports. The new group will be led by experts from the privacy and trade spheres, including former EU Ambassador to the U.S. Hugo Paemen, Hogan Lovells Partners Christopher Wolf—who recently wrote about privacy and free trade for the IAPP’s Privacy Perspectives—and Harriet Pearson, CIPP/US, and former White House Privacy Lead Daniel J. Weitzner. “Promoting greater interoperability between U.S. and EU privacy regimes can be a win for consumers on both sides of the Atlantic,” Weitzner said.
Full Story

PRIVACY LAW—U.S.

Congress To Host Set of Privacy Hearings (March 18, 2013)

The Hill reports on several privacy hearings to be hosted by various House and Senate Committees this week. On Tuesday, the House Judiciary Committee will hold the first in a series of hearings on expanding privacy protections within the Electronic Communications Privacy Act (ECPA). The hearing is expected to reveal whether law enforcement groups will push back against the proposal, the report states. Additionally, a new coalition has been launched to urge Congress to strengthen privacy protections in ECPA. At least three different congressional committees will also hold hearings on cybersecurity-related issues, and the Senate Judiciary Committee is set to examine privacy issues stemming from domestic drone use. Meanwhile, Google Global Privacy Counsel Peter Fleischer writes on why there needs to be a “better, simpler” narrative of U.S. privacy laws.
Full Story

DATA LOSS—U.S.

Retailer Sues Visa Over Fines, Breach Affects 25,000 (March 18, 2013)

RIS News reports on “what appears to be a first-of-its-kind lawsuit” in which retailer Genesco is suing Visa over $13 million in fines it collected after Genesco’s 2010 data breach involving packet-sniffing software on its network. Visa fined Wells Fargo and Fifth Third Financial, transaction processors used by Genesco, for violations of PCI standards. The companies paid the fines with money from Genesco accounts. Genesco’s suit accuses Visa of “legally unenforceable penalties masquerading as fines, breaching its contracts with the banks and engaging in unfair business practices under California law.” In other breach news, a data incident at Salem State University has potentially affected 25,000 current and former employees, and a man convicted of stealing more than 100,000 e-mail addresses of iPad users is facing sentencing this week.
Full Story

ONLINE PRIVACY—U.S.

Lawmakers Introduce E-Reader Privacy Bill (March 18, 2013)

New Jersey lawmakers have introduced legislation that would protect e-book readers’ privacy just as library records are protected, newjerseynewsroom.com reports. Assembly Democrat Benjie Wimberly, co-sponsor of the bill, says e-books and online purchases “have redefined the way we read, buy and borrow books,” adding, the new methods “raise questions regarding privacy and disclosure of personal information…Individuals should be allowed to read, shop without fear of intrusion. Just as with books you borrow at the library, your e-book preferences should also remain private.” The law would allow for disclosures only under certain situations, such as with user consent or to law enforcement in ongoing criminal investigations.
Full Story

SOCIAL NETWORKING—U.S.

Facebook Fixes Privacy Glitch (March 18, 2013)

Facebook has fixed a privacy leak that allowed “friends of friends” to see events another person attended, IDG News Service reports. Austrian student organization Europe v. Facebook says it found Facebook’s redesign of its privacy practices allowed for the glitch. “Users were able to look through often times thousands of past events users were invited to.” The group says Facebook fixed the problem within a couple hours of being notified.
Full Story

SOCIAL NETWORKING—U.S.

Netflix Rolls Out Long-Awaited Sharing Feature (March 15, 2013)
Netflix has announced it will begin offering U.S. customers the ability to sync their Netflix and Facebook accounts to allow friends to see what they are watching, The New York Times reports. Netflix says customers will have explicit options. “You are in control of what gets shared,” said a Netflix spokesman. “You can choose not to share a specific title by clicking the ‘Don’t Share This’ button in the player.” Before the feature’s rollout, Netflix lobbied Congress to amend the Video Privacy Protection Act, which prohibited video service providers from sharing their customers’ viewing preferences, the report states. (Registration may be required to access this story.)

MOBILE PRIVACY—EU

A29 Working Party Adopts Mobile Apps Opinion (March 15, 2013)

The Article 29 Working Party (A29WP) has released its joint opinion on mobile apps. The opinion outlines specific obligations of app developers and other parties—including app stores, advertising providers and operating system and device manufacturers—and pays special attention to apps targeting children. Noting that many apps collect a user’s photo album or location data, A29WP Chairman Jacob Kohnstamm said, “This often happens without the free and informed consent of users, resulting in a breach of European data protection law.”
Full Story

CYBERSECURITY—U.S.

Facebook Withdraws CISPA Support (March 15, 2013)

CNET News reports that Facebook no longer supports the recently reintroduced Cyber Intelligence Sharing and Protection Act (CISPA). The company had previously supported the legislation, but now does not appear on the current list of supporters on the U.S. House Intelligence Committee’s website, the report states. A Facebook spokeswoman said, “We are encouraged by the continued attention of Congress to this important issue, and we look forward to working with both the House and the Senate to find a legislative balance that promotes government sharing of cyberthreat information with the private sector while also ensuring the privacy of our users.” The ACLU’s Michelle Richardson said she hopes Facebook’s stance “evolves into flat-out opposition if CISPA isn’t fundamentally rewritten to protect privacy.”
Full Story

HEALTHCARE PRIVACY—U.S.

Database Gives Patients Increased Control (March 15, 2013)

Mashable reports on a new site aiming to recruit patients for clinical trials and disease research “by giving them unprecedented privacy controls and greater say in how their data is used for research.” Many DNA databases require participants to sign broad consent forms, often relinquishing control of how the data will be used. The Genetic Alliance database is the result of a partnership with Private Access, a company that “develops platforms for sharing health information while maintaining privacy,” the report states.
Full Story

STUDENT PRIVACY—U.S.

Advocates, Assemblyman Blasting Student Database (March 15, 2013)

New York State Assemblyman Daniel O'Donnell (D-69th district) has introduced a bill to prevent schools from sharing student data with private companies without parental consent or the ability to opt out, reports New York Daily News. The bill is in response to a new national database with which New York education officials have already shared student data. The database is intended to help educational companies create teaching tools for students, and the state’s education department says no data will ever be sold, but civil liberties and education advocates are not satisfied. “The fact that this plan is being carried out without even telling parents reflects the state’s and city’s carelessness with children’s lives,” said one education activist.
Full Story

DATA LOSS—U.S.

Fire Department Hit by Third-Party Breach (March 15, 2013)

An Arizona fire department has announced a patient data breach, HealthITSecurity reports. The breach involved the department’s third-party billing processor’s disclosure of patient data. Names, dates of birth, Social Security numbers and record identifiers were disclosed, the report states. The Advanced Data Processing (ADP) employee responsible was fired, arrested and prosecuted, and ADP has sent letters to those affected.
Full Story

CONSUMER PRIVACY—U.S.

Brill: Enforcement Heating Up (March 14, 2013)
Federal Trade Commissioner Julie Brill says the FTC is “ramping up enforcement” for violations of privacy rules, Advertising Age reports. “We’re going after the players who share online data sloppily,” Brill said at a recent Direct Marketing Association event. Brill added, however, that the commission aims to work with industry toward an agreement on protecting consumer privacy in a way that promotes a “vibrant, innovative, online marketplace.” The FTC recently ordered nine data brokers to disclose details on their data collection and use and will release a report on the matter later this year, Brill said, adding that increasingly savvy consumers will hurt misbehaving companies more than FTC enforcement will.

PRIVACY LAW—U.S.

MA Court Allows ZIP Code Lawsuit To Proceed (March 14, 2013)

The Massachusetts Supreme Judicial Court has ruled that ZIP codes are considered personal identification information, reports ABA Journal. The Tyler v. Michaels Stores ruling means a class-action lawsuit can proceed, even though identity fraud did not result from the data collection. The plaintiff in the case claims Michaels used ZIP code information to obtain more of her personal information in order to send her marketing materials. Massachusetts law forbids companies from requesting consumers’ personal information during credit card transactions unless it is required for shipping purposes, the report states. The ruling mirrors a California Supreme Court decision.
Full Story

MOBILE PRIVACY—U.S.

DAA To Roll Out Mobile Privacy Guidelines (March 14, 2013)

The Digital Advertising Alliance (DAA) plans to unveil a set of mobile privacy guidelines as early as next week. MediaPost News reports the guidelines will likely require ad businesses to provide consumer notification of behavioral advertising, allowing an opt-out and may require opt-in consent prior to collecting certain data, such as user contacts. The guidelines are also expected to promote the use of de-identification. The DAA’s guidelines will be the fourth set of standards circulating in the past year, including those provided by the Federal Trade Commission and California Attorney General and those currently under consideration by the National Telecommunications and Information Administration.
Full Story

CYBERSECURITY—U.S.

Obama Meets CEOs, Receives Anti-CISPA Petition (March 14, 2013)

President Barack Obama met with more than a dozen CEOs Wednesday to get their support for cybersecurity legislation. The move comes after intelligence officials testified that cyberattacks now outpace terrorism as the top threat to national security, the Los Angeles Times reports. “What is absolutely true is that we have seen a steady ramping up of cybersecurity threats,” Obama said. Meanwhile, the president received a petition from a group of privacy advocates imploring him to stop the recently proposed Cyber Intelligence Sharing and Protection Act (CISPA). The group wrote, “CISPA’s information-sharing regime allows the transfer of vast amounts of data, including sensitive information like Internet records or the content of e-mails, to any agency in the government.”
Full Story

PRIVACY LAW—U.S.

Experts, Advocates React to Google Settlement (March 14, 2013)

The New York Times reports on Google’s recent settlement over its Street View privacy violations. The settlement includes a $7 million fine and requires the company to establish a privacy program within six months and train relevant employees on privacy. “This gives me some glimmer of hope that going forward, the culture of Google will include more Privacy by Design,” said the Center for Democracy and Technology’s Joseph Hall. The Future of Privacy Forum’s Jules Polonetsky, CIPP/US, said the settlement indicates “we all seem to be really happy making this tradeoff” of our personal data for technological advances. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—U.S.

Franken Troubled by Firm’s Tracking Technology (March 14, 2013)

Sen. Al Franken (D-MN) has sent a letter to Euclid Analytics seeking information on the firm’s “troubling” consumer tracking technology, The Hill reports. The technology can track consumers’ offline movements in and around stores by receiving a signal from an individual’s smartphone. With recent reports stating the company has tracked 50 million unique smartphones to date, Franken wrote, “It’s one thing to track someone’s shopping habits through a loyalty card or credit card purchase…It’s another thing entirely to track consumers’ movements without their permission as they shop,” even without making a purchase. In the letter, Franken included a set of 16 questions for the company to answer. Euclid Analytics says it has engineered privacy protections in its technology and hashes the collected unique identifiers.
Full Story

MOBILE PRIVACY—U.S.

Expert Offers Tips on Mobile Developments (March 14, 2013)

In a blog post for the IAPP’s Privacy Perspectives, Jenner & Block Privacy and Information Governance Practice Chair Mary Ellen Callahan, CIPP/US, explores recent developments in mobile privacy and offers a set of tips for companies working within the mobile landscape. “From a practical standpoint,” she queries, “what has happened, what should consumers expect in the future and how will these activities affect the mobile marketplace?”
Full Story

PRIVACY LAW—U.S.

Google Acknowledges Violation, Must Establish Program (March 13, 2013)
Google has acknowledged to state officials that it violated individuals’ privacy when it acquired passwords, e-mail and other personal information with its Street View mapping project, The New York Times reports. The settlement in the case involving 38 states includes a $7 million fine and requires the company to “aggressively police its own employees on privacy issues” by establishing a privacy program within six months, making privacy certification available to certain employees and training relevant employees on privacy. Meanwhile, Russian officials are investigating Google for potential privacy violations concerning e-mail correspondences, and the Seventh Circuit Court of Appeals has ruled in favor of Google in a case involving sponsored ads. (Registration may be required to access this story.)

DATA THEFT—U.S.

Suspect Site Posts Celebrities’ PII (March 13, 2013)

The Federal Bureau of Investigation, the Secret Service and the Los Angeles Police Department are investigating a website that posted the addresses, Social Security numbers and additional personal data of several celebrities, politicians and law enforcement agents, The New York Times reports. One senior law enforcement official said, “At this point, we are trying to determine the sourcing of this and the validity of the stuff that is being posted.” Much of the data could have been sourced from public information, but, according to the report, sensitive credit reports were obtained, which Equifax Vice President Tim Klein said hackers must have used stolen data to access. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Study Indicates “Likes” Reveal Personal Data (March 13, 2013)

Research from England’s University of Cambridge indicates a person’s political leanings, age, gender and sexual orientation can be deciphered by studying their Facebook “Likes,” Forbes reports. The study is based on data from 58,000 Facebook users who volunteered. “The model correctly discriminates between homosexual and heterosexual men in 88 percent of cases, African Americans and Caucasian Americans in 95 percent of cases and between Democrat and Republic in 85 percent of cases,” the authors say, adding, the ability to predict individuals’ attributes based on behavior may have negative implications “because it can be easily applied to large numbers of people without obtaining their individual consent and without them noticing.”
Full Story

INFORMATION ACCESS—FRANCE

CNIL Launches Open Data Consultation (March 13, 2013)

The French data protection authority (CNIL) has initiated a consultation of “relevant private and public actors” to determine whether it should pursue an “Open Data” initiative, Hunton & Williams’ Privacy and Information Security Law Blog reports. Open Data is seen at national and EU levels to allow access to and the re-use of public-sector data, the report states. The UK and the European Commission have both launched Open Data portals. The CNIL’s consultation “is intended to improve its understanding of this movement and the consequences for the protection of personal data.”
Full Story

BIG DATA

Authors: The Risks and Benefits of Big Data (March 13, 2013)

Forbes chats with Viktor Mayer-Schönberger and Kenneth Cukier on the future of Big Data. The two are the authors of a new book, Big Data: A Revolution That Will Transform How We Live, Work and Think, which addresses both the risks and benefits of Big Data. Regarding privacy concerns, the authors say anonymization is not possible when it comes to Big Data. The two are more concerned with “predictive policing,” which may see the use of Big Data analysis to determine which geographic areas and groups to surveil based on the data-based likelihood a crime may be committed. The authors suggest frameworks, including data “expiration dates,” to protect against Big Data’s misuse.
Full Story

SURVEILLANCE—U.S.

Two Tech Leaders Fund ACLU Privacy Project (March 12, 2013)
The American Civil Liberties Union of Massachusetts has received a $1 million donation from two technology leaders for the creation of a project to examine the rapidly advancing surveillance technology used by police. Former Akamai Technologies CEO Paul Sagan and Vertex Pharmaceuticals Founder Joshua Boger contributed the money. The Technology for Liberty & Justice for All project will initially focus on drone use and the surveillance of smartphones and private e-mails, The Boston Globe reports. “There aren’t enough people on the technology side supporting critical looks at what this means for society,” said Boger. “We need the best minds on this.”

PRIVACY LAW—COSTA RICA

Nation Adopts Information Privacy Law (March 12, 2013)

Costa Rica has adopted an information privacy law on the storing, sharing and access of personal information, Inside Costa Rica reports. Law #8968, which was published in the official Gazette last week, mandates that individuals provide their express consent prior to the collection of their personal data and provides the “right to informational self-determination,” or the individual right to know what data is being collected and for what purpose, the report states. The law requires a 10-year data retention limit, with some exceptions, and provides individuals with a means of redress to correct or remove personal information from databases.
Full Story

ONLINE PRIVACY

Rounding up the Audit Requirements (March 12, 2013)

While FTC settlements with the likes of Facebook, Google, Myspace and Path have all made news, what’s next is the task of living up to the agreements, and that means 20 years of privacy audits. The San Francisco Chronicle rounds up just what these audits entail, how companies like KPMG and PricewaterhouseCoopers go about conducting the audits, and why some privacy advocates say the audits aren’t nearly enough: "The real question is, will these companies stay out of the privacy hot water in the future," Kurt Opsahl, senior staff attorney for the Electronic Frontier Foundation, told the paper. "I'm not really sure these audits are going to solve that problem."
Full Story

GENETIC PRIVACY

Report: DNA Samples Could ID Donors (March 12, 2013)

CSO reports on research indicating it could “be possible for anyone, even if they follow rigorous privacy and anonymity practices, to be identified by DNA data from people they do not even know.” Referencing a paper published in Science, the report discusses a process where DNA donors and their relatives could be identified “even without any demographic or personal information.” While laws barring “research institutes from releasing any demographic information about donors would protect patient privacy,” the report notes they would “eliminate the ability of researchers who have identified markers for a particular disease to also identify the ethnic or cultural background of those who might have it.”
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

Risk-Based Screening Draws Privacy Scrutiny (March 12, 2013)

The New York Times reports on plans to move air passenger screening to a more risk-based system fueled by large amounts of data collecting and sharing. The shift is supported by the travel industry and U.S. government officials, but civil liberties groups and some European regulators are concerned the new approach will compromise travelers’ privacy. The system will focus on identifying suspect travelers rather than suspect items and will use data from terror-watch lists, travel agencies and airlines—including birth dates, passport numbers and other confidential information. German Federal Commissioner for Data Protection and Freedom of Information Peter Schaar said any passenger data system should demonstrate it roots out terrorists, be proportional and avoid discrimination. “I question whether these proposals meet at least one of those,” he cautioned. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

ICO Expresses BYOD Privacy Concerns (March 12, 2013)

Following its annual conference in Manchester, UK, last week, the Information Commissioner’s Office (ICO) is expressing concern about the threat bring-your-own-device (BYOD) poses to data security and privacy, reports InformationWeek. The ICO released the results of a survey showing 47 percent of UK workers now use personal devices for business, yet less than 30 percent receive guidance from their employer regarding privacy and data security. The ICO has released a BYOD Guide dictating how employees should be instructed in handling personal information accessed and stored on their devices. "Employers must have adequate controls in place to make sure this information is kept secure," warned an ICO spokesman.
Full Story

ONLINE PRIVACY—U.S.

Ramirez To Eye Internet of Things Privacy Risks (March 12, 2013)

Newly appointed Federal Trade Commission Chair Edith Ramirez said new consumer electronics that bring daily tasks online—preheating an oven while commuting, for example—would raise privacy concerns. Smart grid advances are making such tasks possible, The Wall Street Journal reports. “It won’t be long before everyday devices—refrigerators, TVs—both at home and at work are going to be capturing all sorts of information about how we behave,” Ramirez said at last week’s IAPP Global Privacy Summit. “That means there’s great potential for tremendous benefits to consumers, but at the same time there are significant and important privacy questions those developments will raise.” Editor’s Note: Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, recently wrote “The Internet of Things and a Balanced Approach to Regulatory Intervention” in Privacy Perspectives, the IAPP’s new blog. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Judge: LinkedIn Class-Action Suit Was “Abstract” (March 12, 2013)

U.S. District Judge Edward Davila, who granted LinkedIn’s motion for dismissal in a $5 million class-action lawsuit led by Katie Szpyrka and Khalilah Wright, described the breach as “abstract” rather than causing actual harm. The plaintiffs had argued LinkedIn “failed to use a combination of hashing and salting to secure user passwords,” reports InfoSecurity, which led to a June 2012 data breach. Further, they argued, despite paying for premium membership, they did not receive premium security. However, Davila concluded the breach did not result in any “concrete and particularized” injury after the plaintiffs failed to demonstrate compromise of personally identifiable information. Nor, he said, was there any evidence that LinkedIn had promised further security protection for premium members.
Full Story

DATA LOSS—U.S.

ACLU To Investigate Potential Student Rights Violation; Breaches Persist (March 12, 2013)

The American Civil Liberties Union says it will launch an investigation into whether a Washington student’s rights were violated when a school administrator allegedly forced her to log onto her Facebook page to investigate a cyberbullying case, ABC News reports. Meanwhile, a Tennessee-based retailer is suing VISA for allegedly breaching contract after a data breach; the University of Connecticut Health Center has announced a data breach affecting 1,400 patients, and both New York’s Good Samaritan Hospital and Florida’s Osceola County EMS have notified patients of separate breach incidents.
Full Story

PRIVACY LAW—EU

Reding on the Regulation: “All the Elements Are Falling Into Place” (March 11, 2013)
In her Intervention in the Justice Council on March 8, European Commission (EC) Vice President Viviane Reding discussed progress on the draft EU data protection regulation, calling it “significant and extremely encouraging.” Highlighting the regulation’s timeline moving forward, Reding said, “All the elements are falling into place to make decisive political progress on this critical dossier under the Irish (EU) presidency.” Reding's speech also includes points on risk-based approach, "SMEs and cutting red tape," public-sector flexibility and pseudonymous data, to name a few. “I am happy to work on the notion of pseudonymous data, but I will be vigilant,” she said. “We need a robust definition and robust safeguards. Pseudonymous data must not become a Trojan horse at the heart of the regulation, allowing the non-application of its provisions.”

PRIVACY LAW—U.S.

Google To Pay $7 Million Settlement (March 11, 2013)

The Wall Street Journal reports on Google’s $7 million settlement in “a multistate investigation into the Internet search leader's collection of e-mails, passwords and other sensitive information sent over wireless networks several years ago in neighborhoods scattered around the world.” Stemming from incidents involving Google’s Street View vehicles, the resolution closes an investigation conducted by about 30 state attorneys general. Google has maintained it did not break U.S. law, issuing a statement Friday that noted, “We work hard to get privacy right at Google. But in this case we didn't, which is why we quickly tightened up our systems to address the issue." (Registration may be required to access this story.)
Full Story

EMPLOYEE PRIVACY—U.S.

Faculty Criticize University’s Scanning of Deans’ E-mail (March 11, 2013)

After learning that Harvard University had searched the e-mail accounts of 16 resident deans, faculty members are speaking out against the actions, reports The New York Times. The search was an effort to learn who leaked to the media information about a student cheating scandal. Harvard’s policy states that the university can search faculty e-mail accounts during an internal investigation, but it must notify them prior to or soon after the search. In this case, faculty were notified about six months after the search, causing one professor to note, “it would seem that the administration violated its own policy.” Others acknowledged the possibility that the university saw the resident deans not as faculty but as regular employees—who have lesser protections. (Registration may be required to access this story.)
Full Story

PRIVACY

“Lifelogging” Camera Soon To Launch (March 11, 2013)

The New York Times reports on Swedish start-up Memoto’s wearable “lifelogging camera,” which automatically takes photos of the wearer’s surroundings. Worn on a collar, a jacket or like a necklace, the camera takes photos every 30 seconds. The photos will not immediately be available to share through social media, but the company’s founders hope to eventually pair the device with other data and tracking applications. The product raises some questions about privacy and data ownership, the report states. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Company Bringing Online Tracking Outside (March 11, 2013)

The New York Times reports on a three-year-old company using the same technology that has made “following people online” big business in order to track consumers “into the physical world.” Euclid Analytics uses businesses’ wireless antennas “to see how many people are coming into a store, how long they stay and even which aisles they walk,” the report states, noting the company “does this by noting each smartphone that comes near the store, feeding on every signal ping the phone sends.” In its three years, Euclid has tracked approximately “50 million devices in 4,000 locations.” (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY

Google Funds “Fashion Recognition” Research (March 11, 2013)

In late February, Google announced the funding of some 102 research projects focused on a variety of fields, from economics to policy standards and privacy. One such project, reports InformationWeek, is InSight, which could work with Google Glass and other mobile platforms to identify individuals “by their visual fingerprint, calculated through assessments of clothing colors, body structure and motion patterns.” The technology could offer an alternative to facial recognition and could be a temporary way, researchers say, to make oneself identifiable in a crowd.
Full Story

ONLINE PRIVACY

IAB “Strongly Opposes” Mozilla Move on Cookies (March 11, 2013)

Advertising Age reports on Interactive Advertising Bureau (IAB) Vice President and General Counsel Mike Zaneis’ message to IAB members on Mozilla’s plans to block third-party cookies by default. Zaneis said the IAB “strongly opposes this move,” calling it harmful to big companies, mom-and-pop small businesses dependent on digital advertising and users themselves. “Ultimately, it is bad for consumer privacy,” he wrote. “This action would break existing consumer choice mechanisms such as the Digital Advertising Alliance opt-out tool.” The message follows Zaneis’ comment last month calling the move a “nuclear first strike” against the ad industry.
Full Story

PRIVACY LAW—U.S.

Opinion: Should U.S. Adopt EU-Style Privacy? WSJ Hosts Back and Forth (March 11, 2013)

Calling U.S. privacy regulations “relatively lax,” The Wall Street Journal hosted on Friday a debate in its opinion pages regarding whether the United States should more closely resemble the European Union in its data privacy legislation. Arguing that the U.S. should, indeed, strengthen regulation is Joel Reidenberg, the Waxberg Professor of Law and founding academic director of the Center on Law and Information Policy at Fordham Law School. He believes it would properly prioritize citizens and incentivize good business practice. Arguing the contrary position is Thomas Davenport, visiting professor at Harvard Business School, who believes we can’t trust the U.S. Congress to pass good privacy legislation and that it is likely to stifle innovation. (Registration may be required to access this story.)
Full Story

PRIVACY

FTC Chair Ramirez Identifies Priorities (March 8, 2013)
Today, addressing the IAPP Global Privacy Summit, recently appointed Federal Trade Commission (FTC) Chair Edith Ramirez indicated a focus on enforcement of COPPA and other directives, regulating the mobile space and an exploration of the impact of the “Internet of Things” on privacy would be priorities for the FTC going forward under her watch. She also mentioned optimism on aligning the EU’s Binding Corporate Rules with APEC Cross-Border Privacy Rules. Ramirez was appointed FTC chair by U.S. President Barack Obama just five days ago. She addressed the IAPP in a back-and-forth discussion led by Jim Halpert, partner in the communications, e-commerce and privacy practice at lawfirm DLA Piper.

CONSUMER PRIVACY—U.S.

FTC Files Eight Complaints, Charges 29 Text Spammers (March 8, 2013)

The Federal Trade Commission (FTC) has charged 29 defendants with “collectively sending more than 180 unwanted text messages to consumers, many of whom had to pay for receiving the texts.” The messages promised prizes to consumers who clicked on embedded links, which then prompted them to provide sensitive personal information, according to a press release. “Today’s announcement says ‘game over’ to the major league scam artists behind millions of spam texts,” said FTC Acting Director of the Bureau of Consumer Protection Charles Harwood. “The FTC is committed to rooting out this deception and stopping it.”
Full Story

PRIVACY LAW—U.S.

Judge: Apple Must Disclose More in Lawsuit (March 8, 2013)

A judge has ordered Apple to disclose detailed evidence in a geolocation lawsuit, Bloomberg reports. Noting he cannot rely on what the company tells him, U.S. Magistrate Judge Paul S. Grewal issued the order following claims by the plaintiffs’ representation that the company has withheld documents it had previously been ordered to share. The lawsuit claims Apple collected location data on users though smartphones after users turned off the geolocation feature. Grewal said he had already “refereed” the case and it is “unacceptable” that Apple still has not complied. “Luckily for the plaintiffs, Apple has provided more than enough evidence itself to suggest to the court that it has not fully complied with the court’s order,” he wrote.
Full Story

ONLINE PRIVACY—UK

Updated Street View Images Cause Concern (March 8, 2013)

One resident of a British neighborhood recently discovered images of his home and the homes of his neighbors on Google’s Street View mapping service after the residents had requested they be removed, reports The Telegraph. Google had removed the images after the 2009 request, but updated images of the neighborhood on the site include unaltered views of the homes. The residents now must reapply if they want images of their homes blurred. “Google is a technology company,” said one homeowner, adding, “it ought to be easy for them to ensure they keep blurring properties when they update the images.”
Full Story

BIG DATA

Experts on the Dollar Value of Data (March 8, 2013)

“Big Data—the vast quantity of information now available thanks to the Internet, and which can be manipulated in ways never before possible—is becoming a backbone of corporate performance and economic growth. Yet its value isn't well-understood,” write Prof. Viktor Mayer-Schönberger and The Economist’s Kenneth Cukier for The Wall Street Journal. “With Big Data, information is more potent, and it can be applied to areas unconnected with what it initially represented,” they write, adding, “The value of information captured today is increasingly in the myriad secondary uses to which it is put—not just the primary purpose for which it was collected.” Editor’s Note: Viktor Mayer-Schönberger and Kenneth Cukier delivered a keynote address on this topic today at the IAPP Global Privacy Summit.
Full Story

PRIVACY

IAPP Unveils Westin Fellowship, Welcomes Tene To New Role (March 8, 2013)

The International Association of Privacy Professionals (IAPP) has unveiled the Westin Fellowship, named for privacy pioneer Alan Westin and intended to “encourage and enable research and scholarship in the field of privacy.” Recent graduates of undergraduate and graduate programs with high academic standing and a demonstrated interest in privacy may apply for and be awarded 12-month paid residencies at the IAPP and work on privacy research projects under the IAPP’s newly named VP of Research and Education Omer Tene.
Full Story

DATA PROTECTION

IAPP Launches Privacy Manager Certification (March 8, 2013)

Yesterday at the IAPP's Global Privacy Summit, the organization launched a companion certification to its long-standing CIPP: the Certified Information Privacy Manager (CIPM).
Full Story

PRIVACY LAW—EU

EC May Soften Proposed Regulation (March 7, 2013)
A year after its introduction and amidst controversy, the European Commission may “water down” aspects of its proposed data protection regulation, ZDNet reports. A number of member states—including the UK, Germany, Sweden and Belgium—have said the proposed rules are too prescriptive. U.S. technology companies have lobbied for provisions of the draft to be removed entirely. During a speech in Brussels today, EU Justice Commissioner Viviane Reding said lobbyists’ “predictions of doom are not justified. Data protection law has not fallen from the sky.” She cited an “overblown discussion on consent,” noting 27 national data protection authorities agree that user consent should be explicit in the final regulation. “What will this mean in practice?...Hundreds of pop-ups on your screens? Smartphones thrown in the floor in frustration? No. It means none of these things. This is only the scaremongering of certain lobbyists,” she said. The commission’s Justice Committee will meet this week to discuss the proposal.

PRIVACY LAW—U.S.

Lawmakers Push ECPA-Update Bill (March 7, 2013)

The Verge reports on the Online Communications and Geolocation Privacy Bill, a bi-partisan attempt to update the Electronic Communications Privacy Act of 1986 (ECPA). The new bill aims to apply protections to consumers’ e-mail and location data stored by third parties, requiring police and government to obtain a warrant before accessing such data. Google says of the 8,438 requests for user data between July and December 2012, 1,896 came with a warrant, and major carriers have reported 1.3 million requests in 2012. Rep. Zoe Lofgren (D-CA), who is co-sponsoring the bill, said, “Fourth Amendment Protections don’t stop at the Internet. Americans expect Constitutional protections to extend to their online communications and location data.”
Full Story

CYBERSECURITY—U.S.

Firms Seek Protection from Data Sharing Lawsuits (March 7, 2013)

Companies are urging Congress to provide incentives and protection for joining the White House’s initiative to strengthen the nation’s computer infrastructure, Bloomberg reports. According to the Obama administration’s February executive order, the U.S. is to create cybersecurity standards for critical industries and a framework for speeding up threat data sharing between the federal government and the private sector. “Cybersecurity is largely a voluntary effort, and the task of the government is encouraging companies to participate…If you don’t have liability protection, that task is infinitely harder,” said Goodwin Proctor attorney Gus Coldebella, who previously worked for the Department of Homeland Security.
Full Story

EMPLOYEE PRIVACY—GERMANY

Courts Clarify Data Rules (March 7, 2013)

Hunton and Williams’ Privacy and Information Security Law Blog reports on two recently published German court decisions clarifying German employee data law. The decisions “validate the independence of works councils in determining how to comply with data protection law and clarify when unused employee e-mail accounts can be deleted,” the report states. The Federal Labor Court of Germany held that a business cannot dictate how its works council complies with data protection law, and the Higher Regional Court of Dresden has clarified when businesses may delete e-mail accounts.
Full Story

PERSONAL PRIVACY—U.S.

Gun Owners’ Privacy Protected Under New Bill (March 7, 2013)

Mississippi Gov. Phil Bryant has signed a bill making the state’s list of gun holders private information. “As a matter of public safety, I remain opposed to releasing personal information on law abiding gun owners,” Bryant said. “Sensitive gun owner information is entitled to privacy protections—just like medical records, tax documents and personnel files.” The bill’s opponents worry restricting access to such information could lead to a slippery slope. Meanwhile, Missouri State Rep. Todd Richardson (R-Poplar Bluff) has filed a House bill that “would prohibit the Missouri Department of Revenue from scanning and transferring personal documents to an out-of-state database.”
Full Story

SOCIAL NETWORKING

Carnegie Mellon Study: Facebook Users Shared More Over Time (March 7, 2013)

The Huffington Post reports on a Carnegie Mellon University study that followed the privacy practices of 5,076 Facebook users for six years. Researchers found that “during the first four years, users steadily limited what personal data was visible to strangers...” But after Facebook's changes to its platform in 2009 and 2010, users began to share more data with the public. Additionally, “even as people sought to limit what strangers could learn about them from their Facebook profiles, they actually increased what information they shared with their friends.” The researchers said the study’s results highlight “the power of the environment in affecting individual choices.”
Full Story

SURVEILLANCE—U.S.

Privacy Board To Probe Agency Data Program (March 6, 2013)
The Wall Street Journal reports on The Privacy and Civil Liberties Oversight Board’s (PCLOB) investigation of the National Counterterrorism Center’s counterterrorism program, which analyzes a large data set on innocent American citizens. The program allegedly allows the agency to examine government files on citizens for possible criminal behavior with or without reason for suspicion, the report states. This was the PCLOB's second public meeting since its creation. Members said they also met with the National Security Agency about its surveillance programs. (Registration may be required to access this story.)

PRIVACY LAW—U.S.

Federal Judge Dismisses Privacy Lawsuit (March 6, 2013)

A federal judge has dismissed a lawsuit against LinkedIn that claimed the professional-networking service failed to comply with industry security standards by encrypting user password data, Bloomberg reports. The suit was filed last year after the company’s website was hacked and 6.5 million user passwords were posted on an unrelated site. In dismissing the suit this week, U.S. District Judge Edward Davila said the plaintiffs did not demonstrate a “causal connection” between the company’s alleged privacy policy misrepresentation and their harm, the report states.
Full Story

DATA RETENTION—ITALY

Police and DPA Launch Telecom Investigation (March 6, 2013)

The Italian Financial Police and Italy’s data protection authority (Garante) have launched an investigation into compliance with regulations on telephone and computer traffic data retention, Telecompaper reports. The investigation involves 11 telephone companies and Internet service providers following nine registered cases over alleged administration violations of the Privacy Code, the report states, including failure to adopt protective measures on data retention mandated by the Garante.
Full Story

ONLINE PRIVACY—U.S.

Attorney: W3C Should Halt Proceedings (March 6, 2013)

An attorney advising industry organizations on privacy issues has asked the World Wide Web Consortium (W3C) to halt all proceedings following its decision to extend its charter, MediaPost reports.  The W3C recently announced the renewal of its charter through 2014, a move attorney Alan Chapell says was not done in a “transparent manner” and “constitutes a fatal flaw that will negatively impact the legitimacy of this group’s output unless rectified.” The W3C has been working to forge advocacy and industry consensus on a do-not-track mechanism for the last two years. W3C Chair Peter Swire, CIPP/US, says he did not predict an extension of the group’s charter would stir controversy and the group should proceed.
Full Story

PRIVACY—U.S.

Governor: Use of Facial Recognition Software Led to 2,500 Arrests (March 6, 2013)

New York state officials say the Department of Motor Vehicle’s (DMV) use of facial recognition software for driver’s licenses since 2010 has resulted in more than 2,500 arrests for identity theft, NBC News reports. New York’s DMV has investigated 13,000 cases of potential identity fraud using the software. In addition to the arrests, more than 5,000 individuals have faced administrative action, according to New York Gov. Andrew Cuomo. Privacy advocates, however, say the use of facial recognition technology poses risks. “One potential problem, from a privacy standpoint, is the sharing of facial recognition databases with other governmental and non-governmental entities,” said EPIC’s Ginger McCall.
Full Story

PRIVACY—U.S.

Smart Car Data Perks Third Parties’ Ears (March 6, 2013)

The Washington Post reports on the future of cars, which will “soon be so linked into wireless networks they will be like giant rolling smartphones.” While cars have long had the ability to gather data for safety and performance monitoring, the ability to connect to networks may allow third parties—including law enforcement—to access the data, with few U.S. laws to regulate its use, the report states. ABI Research predicts more than 60 percent of vehicles will have Internet connectivity by 2017. “The cars produce literally hundreds of megabytes of data each second,” said one expert, adding, "the technology is advancing so much faster than legislation or business models are keeping up.”
Full Story

PRIVACY LAW—ITALY

Court: Service Providers Not Responsible for User Content (March 5, 2013)
Court documents have been released on the December ruling by a Milan court acquitting three Google executives on charges alleging violation of an Italian child's privacy after a video of the boy being bullied was posted on one of the company's websites. “The possibility must be ruled out that a service provider which offers active hosting can carry out effective, pre-emptive checks of the entire content uploaded by its users,” the court said in its ruling, adding such an obligation would impose a “pre-emptive filter on all the data uploaded on the network, which would alter its own functionality.”

INFORMATION ACCESS—NEW ZEALAND

Commissioner Issues Emergency Response Code (March 5, 2013)

According to a media release, Privacy Commissioner Marie Shroff has issued a code of practice that allows for information-sharing between response agencies in times of emergency. "Once a national emergency is declared, it will allow personal information to be collected, used and disclosed as part of managing the response and recovery process,” Shroff said. After a 2011 earthquake, Shroff issued a temporary code that proved useful and was the impetus for creating “a code that would be triggered without delay” in future emergency situations.
Full Story

PRIVACY LAW—CANADA

Stoddart Wants Review of PIPEDA (March 5, 2013)

Federal Privacy Commissioner Jennifer Stoddart is pushing for a review of the Personal Information Protection and Electronic Documents Act (PIPEDA), noting that the law requires review every five years and the last was scheduled in 2006. Financial Post reports that Stoddart would like to see changes including the way PIPEDA treats personal information in relation to corporate responsibility; better transparency when data is used by law enforcement and government; clarifying PIPEDA’s use of “lawful authority,” and the addition of mandatory breach notification. “PIPEDA’s soft approach...is, I believe, only partly effective against the quasi-monopoly of these multinational corporate giants,” Stoddart said.
Full Story

PRIVACY LAW—U.S.

FTC’s Weinman To Move to Tech Lobbying Firm (March 5, 2013)

Federal Trade Commission (FTC) Attorney Yael Weinman will depart next month to serve as vice president for global privacy policy and general counsel at tech lobbying firm Information Technology Industry Council (ITI), The Hill reports. Weinman is currently attorney advisor to FTC Commissioner Julie Brill, specializing in domestic and international privacy and data security issues. Weinman is slated to work with policymakers and stakeholders to design a balanced approach to privacy policies, according to ITI Senior Vice President for Global Policy John Neuffer. Noting the move is “a major step forward for the tech sector,” Neuffer said, “Yael will be leading the charge to drive balanced approaches to privacy that enhance innovation while also protecting an individual’s personal data.”
Full Story

DATA PROTECTION—EU

Reding and Aigner: Regulation Reform a “Historic Opportunity” (March 5, 2013)

EU Justice Commissioner Viviane Reding and German Consumer Protection Minister Ilse Aigner say the proposed EU General Data Protection Regulation is an “historic opportunity” to modernize existing data protection rules. Following a meeting in Brussels last week, Reding and Aigner issued a statement that now is the time to set the proper data protection standards to benefit both consumers and industry. “There must be no loopholes for social networking sites, app providers or online traders. We have to ensure that EU law also applies to service providers based outside the EU or to data which is stored in the cloud anywhere in the world.” Consumer choice is essential regarding the deletion of data, they added.
Full Story

ONLINE PRIVACY

The Shift from Regulatory Requirement to Selling Point (March 4, 2013)
The New York Times reports on privacy’s shift from a regulatory focus to a competitive differentiator for companies. Noting Microsoft’s recent efforts at protecting consumer privacy via its anti-tracking signal in its latest Internet Explorer browser, Prof. Joel Reidenberg of Fordham Law School said, “You’re seeing more companies trying to do that—develop privacy-protecting services.” Additionally, companies are applying standards to the entities they do business with; for example, Apple now requires applications to acquire user permission before tracking locations. Meanwhile, CNN reports federal Do-Not-Track efforts face “an uphill road.” (Registration may be required to access this story.)

DATA LOSS

50 Million Passwords Reset After Breach (March 4, 2013)

Online personal organizer Evernote has reset the passwords for all its nearly 50 million users after “suspicious activity” was discovered on its network, PC Magazine reports. The incident “appears to have been a coordinated attempt to access secure areas,” according to a company blog post. Though the investigation is ongoing, hackers did access a database containing users’ names, e-mail addresses and passwords. Evernote says it used one-way encryption to protect the data. Meanwhile, a new study has revealed that 41 percent of more than 12,000 respondents said it can take up to a week to respond to a breach, and 28 percent said they could respond in a day.
Full Story

CONSUMER PRIVACY—U.S.

Ramirez Expected To Lead on Privacy (March 4, 2013)

Edith Ramirez’s promotion to head of the Federal Trade Commission comes as marketing companies face increasing regulatory scrutiny over consumer privacy, MediaPost reports. Ramirez “is generally considered a privacy advocate” and a supporter of Do-Not-Track efforts, the report states. Two years ago, she testified in front of Congress that companies should improve their efforts to communicate their privacy practices to consumers, the report states. “Most consumers have no idea that so much information about them can be accumulated and shared among so many companies—including employers, retailers, advertisers, data brokers, lenders and insurance companies,” Ramirez said in her written testimony at that time. Editor’s Note: Edith Ramirez has just been added as a keynote speaker at this week’s IAPP Global Privacy Summit.
Full Story

SURVEILLANCE—U.S.

License-Plate Surveillance Spreads to Smaller Cities (March 4, 2013)

The Associated Press reports on the introduction of electronic police surveillance in Little Rock, AR, through the use of license-plate scanning technology on police car dashboards. The technology scans traffic and relays the information to a database for sifting to help law enforcement locate stolen vehicles and drivers with outstanding arrest warrants, the report states. American Civil Liberties Union Attorney Catherine Crump said, “Today, increasingly, even towns without stoplights have license-plate readers,” adding, “it’s plausible that private investigators of data-mining companies could acquire this location data.” Others worry that those who have not committed a crime are scanned as well. Little Rock’s police chief said the benefits of the technology outweigh the concerns, the report states.
Full Story

SURVEILLANCE—U.S.

Drones Incite Law Proposals (March 4, 2013)

Inside Higher Education reports on universities using drones for research, a practice that has gained attention since the Federal Aviation Administration released a list of all the organizations that had applied for authorized drone use. Noting privacy concerns, one expert says people should be more worried about using phones and posting photos to Facebook. Meanwhile, an op-ed in Seacoastonline advocates for New Hampshire laws to protect individuals’ privacy from drone surveillance, and an op-ed in Bangor Daily News urges Maine lawmakers to place a one-year moratorium on the use of drones by law enforcement rather than enact a state law now to wait for federal standards. Drone laws have been proposed in 15 U.S. states.
Full Story

PRIVACY LAW—U.S.

DNT Bill Back Due To Lack of Industry Solution (March 1, 2013)
Sen. Jay Rockefeller (D-WV) has introduced a bill to give users the ability to opt out of online tracking, reports CNET News. The “Do-Not-Track Online Act of 2013” is similar to a bill Rockefeller proposed in 2011 and then withdrew after promises from industry that it would voluntarily develop opt-out mechanisms for users. "Industry made a public pledge to develop Do-Not-Track standards that will truly protect consumer privacy—and it has failed to live up to that commitment. They have dragged their feet long enough," Rockefeller told The New York Times. The bill also gives the Federal Trade Commission power to go after companies violating the law.

PRIVACY LAW—EU

CNIL: Google Will Be Called Before Article 29 WP (March 1, 2013)

The Article 29 Working Party (WP) is calling for Google to appear before the group of EU data privacy authorities (DPAs) in advance of “repressive action, which should start before the summer,” France’s DPA, the CNIL, announced Thursday. The announcement followed reports last week that the WP would make its decision by the end of the month, and Businessweek reports the WP “decided to pursue Google after a two-day meeting in Brussels.” A Google spokesman said, “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process and will continue to do so going forward.”
Full Story

CONSUMER PRIVACY—U.S.

New FTC Chair Expected To “Blaze New Ground” (March 1, 2013)

Federal Trade Commissioner Edith Ramirez, recently designated by the Obama administration as the next chair of the Federal Trade Commission, is expected to “champion globalized approaches to consumer privacy protection,” AdvertisingAge reports. Jeffrey Chester of the Center for Digital Democracy said, “Under (Ramirez’s) leadership, we expect the FTC to blaze a new ground on privacy.” Ramirez has expressed interest in leadership on APEC’s cross-border privacy rules and the intersection between privacy and technology.
Full Story

ONLINE PRIVACY

Web Anonymity Tensions Persist (March 1, 2013)

The Hill reports on discussions at this week’s RSA conference in support of reviving “a heated cybersecurity debate over whether to preserve anonymity and the use of pseudonyms in online chat forums and social networks” amidst ongoing tension “between free speech advocates and those who say tougher steps are needed to boost cybersecurity on the Internet.” Meanwhile a CNN report focuses on a panel discussion by industry leaders at the event, asking the question, “Will people share their personal data freely in exchange for more customized service? Or will they become fiercely protective of private information, using tools and browsers that protect their identity from advertisers and other third parties?”
Full Story

PERSONAL PRIVACY—CANADA

Clayton Investigating Ed Minister’s E-mail (March 1, 2013)

Alberta Information and Privacy Commissioner Jill Clayton is investigating a mass e-mail sent by Education Minister Jeff Johnson to determine whether it complied with the Freedom of Information and Protection of Privacy (FOIP) Act, reports Edmonton Journal. The e-mail was sent to more than 30,000 teachers. Johnson says “it’s entirely appropriate that the minister would take those contacts that are residing within his ministry to communicate with professionals about the profession that he’s responsible to regulate.” The Alberta Teachers’ Association submitted a complaint to the Office of the Information and Privacy Commissioner. Clayton said she launched her investigation on “her own motion” and will make recommendations and a public report if the minister’s actions contravened the FOIP Act.
Full Story

PRIVACY LAW—U.S.

A Roundup of State Legislative Actions (March 1, 2013)

Maine State Rep. Sharon Treat (D-District 79) has introduced a bill that would set a 30-day window for organizations to report breaches and establish fines of $1,000 to $5,000 for violations. Pennsylvania’s Supreme Court recently upheld a lower court’s ruling against a teacher who sought to prevent the disclosure of his home address. In New York, a Monroe County Court judge has ruled a cell phone user has no reasonable expectation of privacy that police will not use the phone’s GPS function for tracking purposes. In Utah, a bill forbidding employers and schools from requesting workers’ and students’ social media passwords or usernames has passed the House. In California, a lawmaker has introduced a bill that would extend the Song-Beverly Act to online purchases. And in Minnesota, criminal charges have been dismissed against a Minneapolis city employee who “allegedly used driver’s license information inappropriately.” One expert says data breach prosecutions are very rare.
Full Story

BIG DATA—U.S.

Big Value or Big Brother? (March 1, 2013)

John Havens writes for Mashable about the potential for Big Data across all sectors—government, health and city planning, to name a few—and advocates that industry take control of this evolution. While privacy figures prominently in the discussion, “industry has to arrive at a level of self-regulation or it will get regulated by people who don’t understand what they’re doing,” says Edd Dumbill of O’Reilly Radar. Havens notes that privacy concerns keep organizations from “fully leveraging” Big Data and advocates vertically integrated data solutions and a “team of connected experts” to manage those concerns. Meanwhile, NETWORKWORLD reports about the danger to privacy rights if data is allowed to be mined indiscriminately, questioning “how it would be possible for Big Data analytics not to become ‘Big Brother.’”
Full Story

ONLINE PRIVACY

Opinion: The Cost of Blocking Cookies (March 1, 2013)

Joshua Koran of the cloud marketing platform Turn writes for Advertising Age about the impact that blocking cookies would have not only on digital advertising but also on small publishers and consumer choice. “Nearly everyone agrees that we each have a right to privacy embedded in our own identity. But each of us is also a consumer of advertising-subsidized content, and that advertising relies on the use of anonymous data. Transparency and choice are two fundamental principles that underlie digital privacy guidelines. But how can users make informed choices if they don't understand the implications of their decisions?” Koran writes.
Full Story

PRIVACY LAW—EU & U.S.

Coviello: Laws Benefit Criminals, Not Citizens (March 1, 2013)

Chairman of security giant RSA Art Coviello told TechWeekEurope he believes current privacy legislation is too strict. He specifically points to European privacy laws, noting that he’s heard concerns from EU CEOs about contradictory laws making it impossible to effectively implement necessary data protection tools. In an effort to protect civil liberties, the EU in its privacy laws is allowing “criminals and others to trample those very same civil liberties,” Covielle said, adding, “we ought to be able to have a meaningful dialogue with people on both sides…the privacy people should see what I see, because it would scare the heck out of them.”
Full Story