Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

SURVEILLANCE—U.S.

Posner: Privacy Laws Have Little Social Benefit (April 30, 2013)
“There is a tendency to exaggerate the social value of privacy,” writes Judge Richard Posner of the U.S. Court of Appeals for the Seventh Circuit and a senior lecturer with the University of Chicago Law School, for the New York Daily News. Against the backdrop of the Boston Marathon bombings, Posner discusses the balance between privacy and security, asserting that privacy laws don’t “confer social benefits comparable to those of methods of surveillance that are effective against criminal and especially terrorist assaults.” Posner says critics of surveillance ignore deterrence, and while acknowledging issues surrounding government surveillance of digital information, says surveillance technologies are “also used by our enemies. We must keep up.”

PRIVACY LAW—CANADA

Canada’s Grapple with Privacy and Freedom of Expression (April 30, 2013)

A recent Alberta Court of Appeal decision that the province’s privacy law is unconstitutional can be seen as potentially rippling through the country at large and setting up a clash between privacy and freedom of expression, as included in the charter passed in 1982. This clash between privacy and freedom of expression is particularly interesting because while freedom of expression is a “fundamental right” under the charter, there is no similar privacy right, except as listed in the legal rights of those dealing with the justice system. This exclusive for The Privacy Advisor examines how this will play out going forward.
Full Story

DATA LOSS—U.S.

“Unsecured” E-mails Cause Health Data Breach (April 30, 2013)

A Texas-based hospice center is informing more than 800 patients of a data breach after an employee allegedly sent out at least two “unsecured” e-mails containing sensitive patient information, Health IT Security reports. The e-mails in question included recent referrals and admission activity reports, and compromised data included patient names, referral sources, admission and discharge dates and insurance providers. Hope Hospice discovered the breach during a routine security check and has said employees have since gone through additional training.
Full Story

DATA PROTECTION

A Look at Acxiom’s Privacy Team (April 30, 2013)

With growing consumer awareness and regulatory scrutiny of so-called “data brokers,” companies such as Acxiom rely heavily on their privacy teams for company-wide success. In this exclusive, Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, tells The Privacy Advisor about the work she and her team of “privacy consultants” perform within the company and the role they play in shaping and launching Acxiom’s new products and services.
Full Story

ONLINE PRIVACY

Data Cache Delivers Predictive Analytics (April 30, 2013)

CNN reports on Google’s predictive search feature, Google Now, which uses the cache of data Google stores on individual users to target them with the information it deems most relevant to their needs at any given moment. The feature was rolled out for iPhones and iPads this week and is based on users’ search histories, location information and Gmail confirmations for flights, hotel bookings or restaurants, for example. “We’re providing answers before you’ve even asked the question,” said Google’s director of product development.
Full Story

ONLINE PRIVACY

Given “Doxing,” Hackers Need Not Apply (April 30, 2013)

NBC News reports on the practice of “doxing,” or document tracing. Recently, celebrities have been at the practice’s mercy; Microsoft CEO Bill Gates was recently outed online for having an outstanding debt on his credit card, for example. But doxing data isn’t produced via hacking; it’s “either already public or accessible by, for example, paying an online people-finding service to get a Social Security number and then running a credit check,” the report states. Data is also gleaned from social media sites. One human rights advocate says posting online has widespread implications. “There’s nothing you can do in the electronic world that your boss can’t find and you can’t be fired for,” he said.
Full Story

CYBERSECURITY—U.S.

White House Shifts Stance; FBI Driving Wiretap Bill (April 29, 2013)
The Obama administration is changing its position on the path to creating a critical cybersecurity infrastructure from mandatory standards to a more voluntary approach lined with compliance incentives for private companies, The Washington Post reports. White House Cybersecurity Coordinator Michael Daniel said, “This is a huge focus for my office right now—driving forward and staying on track with the executive order.” The National Association of Federal Credit Unions has urged the Senate to consider cybersecurity legislation. The Post also reports on a government task force crafting legislation “that would pressure companies such as Facebook and Google to enable (FBI) officials to intercept online communications as they occur.” The Center for Democracy & Technology’s Greg Nojeim said the bill is a “non-starter” and added, “They might as well call it the Cyber Insecurity and Anti-Employment Act.” (Registration may be required to access this story.)

DATA THEFT

50 Million Passwords Hacked (April 29, 2013)

Cyberthieves have breached LivingSocial, accessing the passwords of more than 50 million users, PC Magazine reports. It is not yet known how the attackers breached the systems, but the passwords were salted and hashed, the report states. With the passwords, the hackers potentially had access to user names, e-mail addresses and birthdays; credit card and other financial data were not affected. LivingSocial CEO Tim O’Shaughnessy said the company is “redoubling efforts to prevent any issues in the future.”
Full Story

GENETIC PRIVACY—U.S.

Professor Re-Identifies DNA Study Volunteers (April 29, 2013)

Working with her research assistant and two students, Harvard Data Privacy Lab Director Prof. Latanya Sweeney scraped data on anonymous volunteers who shared their DNA with the Personal Genome Project, re-identifying more than 40 percent of the sample, Forbes reports. Profiles of anonymous participants include information on medical conditions, illegal drug use, alcoholism, depression, sexually transmitted disease and medications, as well as DNA sequences, the report states, noting Sweeney’s team was able to discern identity from ZIP code, date of birth and gender “combined with information from voter rolls or other public records.” Sweeney has set up a website to help individuals determine how easily they could be identified by entering those three pieces of information.
Full Story

PRIVACY THINKING

Will Privacy Keep Companies From Striking Big Oil? (April 29, 2013)

In previewing his talk at the IAPP Europe Data Protection Intensive, Big Data thinker Andreas Weigend equated Big Data with Big Oil. There is, of course, a key difference: “We’re not going to run out of data anytime soon,” Weigend told the crowd in London. “It’s maybe the only resource that grows exponentially…Maybe every 1.5 years we’re seeing data double, and much of that data is social data, data about ourselves.” In order for the economy to capitalize on that abundant resource, he said, personally identifying data is going to need to flow freely. Are we in danger of stoppering up the gushers?
Full Story

DATA PROTECTION

Will Public Release of Privacy Audits Become the Norm? (April 29, 2013)

Last week, Facebook released some details of its FTC-mandated, independent privacy practice audit. This Privacy Perspectives blog post looks into why this could be good for the privacy profession.
Full Story

PRIVACY LAW—AUSTRALIA

Privacy Week Sees Calls To Prepare for Changes (April 29, 2013)

At the launch of the Office of the Australian Information Commissioner’s (OAIC) Privacy Awareness Week, Privacy Commissioner Timothy Pilgrim and Australian Attorney-General Mark Dreyfus cautioned businesses to prepare for impending privacy reforms, ZDNet reports. "Now is the time to change existing systems and practices…The sooner these changes are embedded, the easier it will be to comply with the new measures in March 2014," Dreyfus said. The OAIC has released guidance to help covered entities better protect personal information. While not binding, Pilgrim said the guidelines send a “clear message about my expectations in this area.” A survey commissioned by McAfee found that 59 percent of employees responsible for managing customers’ personal information were unaware or unsure of the changes.
Full Story

ONLINE PRIVACY—U.S.

Sen. Rockefeller On Do-Not-Track, Data Brokers (April 29, 2013)

The New York Times reports on the often mysterious data marketing trail and how one U.S. senator is working to ensure consumers have legal protections to opt out and correct personal information amassed by data brokers and other online third parties. The range of ways companies gather consumer data—from sweepstakes to online surveys—makes it difficult for users to correct errors in their marketing profiles, the report states. Sen. Jay Rockefeller (D-WV), who recently led a contentious hearing on the current status of Do Not Track, said, “People have the right to be private insofar as it’s possible in the modern world,” though he acknowledged that Do-Not-Track legislation does not address the bigger issue of consumer data collection by data brokers. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Privacy Practices Up-to-Par, Facebook Audit Reveals (April 26, 2013)
Facebook has said an independent audit shows that its privacy practices are sufficient, the Associated Press reports. As part of its settlement with the Federal Trade Commission (FTC), Facebook is required to undergo such independent audits. The company submitted the findings to the FTC on Monday. According to the report, the audit revealed that Facebook’s privacy practices meet or exceed FTC requirements. Facebook Chief Privacy Officer for Policy Erin Egan said, “We’re encouraged by this confirmation that the controls set out in our privacy program are working as intended.” The company did not reveal the auditor or any cited shortcomings, and the FTC was not available for comment on deadline, the report states.

PRIVACY LAW—U.S.

Senate Judiciary Passes ECPA Reform (April 26, 2013)

In a unanimous vote, the Senate Judiciary Committee yesterday passed reforms to the Electronic Communications Privacy Act (ECPA). Called the ECPA Amendments Act, the update would require law enforcement to obtain a warrant prior to accessing a user’s private online content, The Verge reports. “After years of work on ECPA reform, the time has come for Congress to enact these common-sense privacy reforms,” Sen. Patrick Leahy (D-VT) said. The Center for Democracy & Technology praised the reform. “With the vote today,” CDT Senior Counsel Greg Nojeim wrote, “Congress took a huge step toward finally updating ECPA to ensure e-mails and documents we store in the cloud receive the same Fourth Amendment protections as postal mail and documents we store in desk drawers in our homes.”
Full Story

ONLINE PRIVACY—CANADA

Committee Calls for Voluntary OPC Guidelines (April 26, 2013)

The House of Commons Standing Committee on Access to Information and Privacy is not recommending the government give the Office of the Privacy Commissioner (OPC) power to fine companies for breaking federal privacy law, instead calling on the OPC to “establish guidelines to help social media and data management companies develop practices that fully comply” with the law. Postmedia News reports the committee voiced concern that “major social media companies, while doing business in Canada, prefer to be governed by laws other than those of this country.” The guidelines would address how websites and data brokers “collect and use the personal information of Internet users”; however, “any direction provided under the proposed guidelines would only be voluntary,” the report states.
Full Story

ONLINE PRIVACY—U.S.

CA Lawmaker Proposes DNT Honesty-Checker (April 26, 2013)

California Assemblyman Al Muratsuchi (D-66th District) has proposed a bill requiring website operators to disclose whether their sites honor consumer requests to disable tracking and if they do not allow third-party tracking of site users, Information Week reports. Author Mathew Schwartz calls the bill “a rare note of clarity” in the Do-Not-Track (DNT) debates. Industry efforts stalled last November, causing some members of the Senate Commerce Committee to question their commitment to the initiative. Sen. Jay Rockefeller (D-WV) is pushing for legislation that includes DNT, but not everyone agrees this is the best solution. George Mason University Researcher Adam Thierer says working to educate people while “pushing for greater transparency about online data collection practices” is the right course.
Full Story

CYBERSECURITY—U.S.

Officials: Privacy Concerns Will Kill CISPA (April 26, 2013)

“The Senate will almost certainly kill a controversial cybersecurity bill, recently passed by the House,” due to privacy concerns, ZDNet reports, citing a senate committee aide. Senate Committee on Commerce, Science and Transportation Chairman Jay Rockefeller (D-WV) has said the privacy protections in the Cyber Intelligence Sharing and Protection Act (CISPA) are "insufficient," the report states, noting the White House has also said President Barack Obama will not sign the bill. The House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies heard testimony from privacy experts including Mary Ellen Callahan, CIPP/US, and Harriet Pearson, CIPP/US. Meanwhile, the Department of Homeland Security is also preparing to “deploy a more powerful version” of its EINSTEIN intrusion-detection system, but COMPUTERWORLD reports its deep inspection packet technology is raising “serious privacy concerns.”
Full Story

CHILDREN’S PRIVACY—U.S.

FTC Releases COPPA FAQs (April 26, 2013)

The Federal Trade Commission (FTC) has issued Frequently Asked Questions (FAQs) to help clarify changes to the Children’s Online Privacy Protection Act (COPPA) that go into effect on July 1, reports Forbes. The FAQs cover enforcement, privacy policies and notifications, geolocation data, verifiable parental consent and COPPA in schools, the report states. The FAQ also includes a list of things that covered entities must do, like post a comprehensive privacy policy, provide direct notice to parents and offer parents the ability to prevent further use or collection of their children’s data.
Full Story

PRIVACY LAW—EU

Coalition: Revised Law Would Undermine Privacy (April 26, 2013)

A coalition of international civil liberties groups is contending that proposed changes to the EU’s data protection regulation “would strip citizens of their privacy rights,” IDG News Service reports. The move to create one regulation to replace the existing data protection laws in the EU’s 27 member states “obviously requires compromise, but many parliamentarians report never seeing lobbying on such a scale before,” the report states, noting the civil liberties coalition, which includes such groups as EDRI and Privacy International, has set up a website “to help concerned citizens contact their representatives in the Parliament.” Editor’s Note: At the recent IAPP Europe Data Protection Intensive, industry representatives and privacy experts weighed in on the implications of the proposed EU data protection regulation.
Full Story

RFID—U.S.

Student Attendance Program Raises Concerns (April 26, 2013)

A pilot program in Georgia designed to track children on their way to school using Radio Frequency Identification (RFID) technology is raising concerns among some privacy advocates. International Business News reports on the pilot program announced by East Coast Diversified, a company that specializes in “student transportation and class attendance management systems.” Andrej Jeremic, director of marketing and business development for the company, said, “We don’t track students…We watch for anomalies.” A similar program has been scrutinized in Texas. A representative from the Electronic Privacy Information Center said, “What you’re doing is telling kids it’s normal to be tracked.”
Full Story

HEALTHCARE PRIVACY—U.S.

New HIPAA Rules Create New Responsibilities (April 26, 2013)

With the final omnibus HIPAA and HITECH rule released by the Department of Health and Human Services in January, there are new concerns for healthcare privacy, writes Rita Bowen for Becker’s Hospital Review. Business associates and subcontractors can now be held directly liable for any breach of personal health information (PHI) and are now responsible for breach reporting. Breach documentation must be maintained for six years, and there are new limits on use and disclosure of PHI. Bowen writes that “adherence to HIPAA must be an ongoing, full-time effort,” and “privacy is not a one-and-done; it must become part of the fabric of your organization.”
Full Story

PERSONAL PRIVACY

Researcher: Internet of Things Is “Bit of a Wild West” (April 26, 2013)

The Globe and Mail reports on the growth of Internet-connected devices known as “the Internet of Things”—washing machines, overhead lights, smart scales and more that can all be controlled by owners’ mobile devices. The Organisation for Economic Co-operation and Development estimates the average household with two teenagers will own around 50 Internet-connected devices by 2022. “The vast majority of the future devices of this type don’t exist today,” says Stephen Prentice of Gartner. “If you can measure it, then someone is going to have a device to do that and someone will find a use for that data.” Prentice cautions that the regulatory environment isn’t keeping pace with technology, saying, “At the moment, it’s a case of buyer beware.” Editor’s Note: Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, recently wrote about the Internet of Things in a Privacy Perspectives blog post.
Full Story

DATA PROTECTION—EU

Former ICO Wants Rewrite of Chapter IV (April 25, 2013)
Noting the prescriptive and inflexible nature of the EU’s draft data protection regulation, Former UK Information Commissioner Richard Thomas used his keynote address here at the IAPP Data Protection Intensive in London on Thursday to outline an alternative framework that would focus more simplistically on outcomes, provide incentives for regulatory requirements and allow for as much self-enforcement as possible.

ONLINE PRIVACY—U.S.

Privacy Hearing Gets Contentious in Senate (April 25, 2013)

Senate Commerce Committee Chairman Jay Rockefeller (D-WV) had blunt words for the online advertising industry at a hearing on Do-Not-Track (DNT) legislation yesterday, MediaPost reports. “There’s a broad feeling that the advertisers and data brokers are just dragging their feet,” he said, adding, “And I believe they’re doing it purposely.” In his call for DNT legislation, Rockefeller said he doesn’t believe “companies with business models based on the collection and monetization of personal information will voluntarily stop those practices if it negatively impacts their profit margins.” Digital Advertising Alliance Managing Director Lou Mastria said the previous DNT agreement was “short-circuited” by recent privacy decisions by at least two browser-makers. In a column for Wired, W3C Co-Chair Peter Swire, CIPP/US, warned of a looming “digital arms race” that could have damaging effects for everyone involved. The solution? “The same way we defuse any other arms race,” Swire wrote, “through negotiation.”
Full Story

TRAVELERS’ PRIVACY—EU

Committee Votes Down PNR Bill (April 25, 2013)

The EU Parliament’s Civil Liberties Committee on Wednesday voted against plans for sharing airline passenger data among EU nations, PCWorld reports. The plans call for a passenger name registry, similar to a current agreement with the U.S., that would share the names, contact details and payment data of passengers. Dutch MEPs Sophie In’t Veld and Jan Philipp Albrecht welcomed the vote, the report states, noting that citizen rights and the rule of law had been considered first. UK MEP Timothy Kirkhope said the vote was “irresponsible” and accused other MEPs of putting “ideological dogma before a practical and sensible measure that would have seriously assisted our fight against crime and terror.” BBC News provides video of the Parliamentary debate.
Full Story

HEALTHCARE PRIVACY—U.S.

Does HIPAA Prevent Background Check Compliance? (April 25, 2013)

The Office for Civil Rights has issued an advance notice of proposed rulemaking to address concerns that in some states the HIPAA Privacy Rule may prevent states from “reporting the identities of individuals subject to the mental health prohibitor” to the National Instant Criminal Background Check System (NICS), Examiner.com reports. The notice is an effort to get public input on ways to address these barriers, adding, “In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS…”
Full Story

PRIVACY LAW

Businesses Discuss the Path from Policy to Practice (April 25, 2013)

The EU’s proposed data protection regulation and the numerous amendments that have been proposed mean significant questions, as was highlighted during the IAPP Europe Data Protection Intensive breakout session, “Paving the Way from Policy to Practice.” Moderated by LexisNexis Privacy and Data Protection Senior Director Emma Butler, the session featured privacy officers from Proctor & Gamble, Siemens and Facebook outlining how they see the looming regulation affecting their operations and what they’re doing to prepare. This exclusive for The Privacy Advisor highlights their perspectives on “reading the tea leaves” of the thousands of pages of amendments still to be decided.
Full Story

DATA PROTECTION—GERMANY

Privacy Regulators Criticize Companies’ Tactics (April 25, 2013)

Bloomberg reports on criticism levied by German data protection regulators on Google and Facebook in light of investigations into the companies’ privacy practices. Regulators said the companies have used “delay tactics” and have exercised “impertinent” behavior during the probes, the report states. Federal Data Protection Commissioner Peter Schaar said “Google will keep making attempts to delay investigations through continuous correspondence and always freshly repackaging arguments.” Google was fined by Hamburg’s data protection commissioner earlier this week. A German appeals court has also rejected an attempt by Schleswig-Holstein Data Protection Commissioner Thilo Weichert to require Facebook to allow users to register under pseudonyms. Facebook said, “We’re seeking to have a constructive dialogue with all groups, also with our greatest critics.”
Full Story

PRIVACY LAW—EU & UK

Smith: Proposal Over-Legislates, Won’t See Agreement Until 2014 (April 25, 2013)

Deputy Information Commissioner David Smith told InfoSec conference attendees this week that he expects a clear picture of the impending EU data protection legislation in early 2014, Computer Weekly reports, adding, he believes there will be some change to the current proposal but nothing significant. In Smith’s opinion, the European Commission’s proposal over-legislates and takes a “tick box” approach, making it unworkable for the UK. "The problem is because we're going for harmonization, all those measures are spelled out in detail, listing all the types of documentation you can keep…We're more bothered about assessing the risk and the outcomes than box-ticking; it's about privacy—it's not about having the right paperwork."
Full Story

DATA LOSS—U.S.

Health Info Breach at 911 Center (April 25, 2013)

A 911 emergency dispatch center in Monroeville, PA, is notifying all users of the service in 2012 or 2013 that they should “take all necessary steps to make sure that all your personal information is safe and secure.” A complaint alleges the center e-mailed personal information to a former police chief and allowed callers’ medical information to be anonymously accessed using generic user names and passwords. An investigation into the breach is underway, but investigators do not yet have “any specifics on who had access to the system or the dates the system had been breached.”
Full Story

PRIVACY LAW—EU

Hustinx Outlines Road Ahead for Regulation (April 24, 2013)
As the opening speaker at the IAPP Europe Data Protection Intensive in London, European Data Protection Supervisor Peter Hustinx laid out his predictions for what the much-anticipated EU privacy regulation would finally look like when adopted. Confident that it would meet deadline and be in place by the spring of 2014, Hustinx said, “my impression is that there is a basic consensus that the current architecture of the regulation is the right one…Now the focus is on getting it right, and the key word there is balance.”

CHILDREN’S PRIVACY—U.S.

Advocates Ask FTC To Not Delay COPPA (April 24, 2013)

In response to an industry-backed letter asking the Federal Trade Commission (FTC) to postpone implementation of new COPPA rules for six months, privacy groups on Tuesday urged FTC Chairwoman Edith Ramirez not to delay, AdWeek reports. Signed by 19 privacy groups, including Common Sense Media and the Electronic Privacy Information Center, the letter to Ramirez said the delay is “unwarranted” and would harm children and “undermine the goals of both Congress and the FTC.” COPPA updates are slated to go into effect on July 1.
Full Story

DATA PROTECTION

Vodafone’s Deadman: Show Us the Carrots (April 24, 2013)

If privacy regulators and consumers want transparency and accountability from corporations, companies need more than a stick: They need a carrot, too. That’s according to Stephen Deadman, group privacy officer and head of legal for privacy, security and content standards at Vodafone Group. During his keynote at the IAPP Data Protection Intensive in London on Wednesday, Deadman said companies’ approaches to privacy in the last decade have been based on the bare minimum of tactical legal compliance rather than meaningful integration from the ground up, but changes in technology and in consumer expectations are starting to shift that model.
Full Story

FINANCIAL PRIVACY—U.S.

CFPB Head Defends Data Collection Plan (April 24, 2013)

Testifying at a Senate Banking Committee hearing, U.S. Consumer Financial Protection Bureau (CFPB) Director Richard Cordray defended his agency’s data collection plans, Bloomberg reports. He said the data collected is not privacy-invasive and parallels techniques already used in the private sector. “The big banks know more about you than you know about yourself,” Cordray said, “And me, too, as a consumer.” The CFPB is currently collecting data from credit bureaus and requesting large amounts of data from major banks in order to improve the agency’s rule-writing and supervisory work, the report states. Sen. Mike Johanns (R-NE) said, “To many people, this is going to sound downright creepy.” Cordray said, “The notion that we’re tracking individual consumers or invading their privacy is quite wrong.”
Full Story

DATA PROTECTION

Where Is the Regulation of Transborder Data Flows Headed? (April 24, 2013)

“Anyone working in privacy and data protection law is familiar with the restrictions on transferring data outside the European Union (EU) contained in the EU Data Protection Directive,” writes Wilson, Sonsini, Goodrich & Rosati Senior of Counsel Christopher Kuner in the latest installment of Privacy Perspectives. “But did you know that non-EU countries as diverse as Israel, Mexico, Russia and South Korea have similar restrictions? And that since the 1970s, over 70 countries all over the world have enacted data protection and privacy laws regulating transborder data flows?” Kuner delves into this complex topic and lays out some of his conclusions of where things are headed.
Full Story

DATA LOSS—CANADA

More Than 3,000 Gov’t Breaches in 10 Years (April 24, 2013)

Documents tabled in Parliament this week show that the federal government has experienced more than 3,000 data and privacy breaches in the past 10 years, affecting more than 725,350 Canadians, Postmedia News reports. Less than 13 percent of those breaches were reported, prompting NDP critic Charlie Angus to say, “As a standard, we should involve the privacy commissioner when Canadians’ privacy is breached,” noting that there may have been circumstances when Canadians were put at risk and not informed.
Full Story

PRIVACY LAW—EU

Diverging Opinions Create Challenges for EC (April 24, 2013)

The European Commission (EC) data protection proposal aims to create a coherent set of rules that would apply to all EU member states, but conflicting ideas about how to protect citizens’ privacy have created obstacles, reports Financial Times. The European Parliament is pushing for stronger protections; the EC would like to soften the proposal to lighten the regulatory burden on businesses, and industry is lobbying to water down the proposal entirely. While Ireland, the current seat of the EU presidency, would like an agreement by the end of the year, the report states that conflicting ideas suggest “it will take time and much debate before a compromise is found.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

Industry, Scholars Back Drone Innovation (April 24, 2013)

The Association for Unmanned Vehicle Systems International has written a letter to Google Executive Chairman Eric Schmidt expressing concerns “that such an influential tech industry executive” would support bottling up a “promising technology,” Bloomberg Businessweek reports. Schmidt recently expressed concerns about drones. Meanwhile, an op-ed for Wired makes the case for why Americans should not be afraid of drones. George Mason University researchers Eli Dourado, Adam Thierer and Jerry Brito, in a Federal Aviation Adminstration filing, argue that constraining commercial drones to strict privacy policy requirements is “unwise and premature.” Dourado writes, “It’s true that opening up U.S. airspace…will have some important privacy implications to consider. But it’s even more important that we consider the effect of too-early, heavy-handed regulation on future innovation.”
Full Story

ONLINE PRIVACY—U.S.

Opinion: Rep. Poe Pushes for ECPA Reform (April 24, 2013)

In an op-ed for POLITICO, Rep. Ted Poe (R-TX) writes, “Change usually brings challenge, and at times, our laws must adapt to reap the benefits of innovation without abridging our civil liberties, a challenge our government has been reluctant to accept.” He notes that the Electronic Communications Privacy Act (ECPA) was passed “a virtual eternity” ago when “no one knew what the ‘cloud’ was or even anticipated that it could exist.” Poe pushes for the passing of the Online Communications and Geolocation Privacy Act, a bill he co-sponsors, to modernize ECPA “to protect Internet users from intrusive and unwarranted government surveillance.”
Full Story

EMPLOYEE PRIVACY—U.S.

Wall Street Takes On State Employee Laws (April 23, 2013)
The Wall Street Journal reports on an “unlikely alliance of regulators and industry groups” seeking to “carve out exemptions” in a slew of proposed state laws barring employers from accessing the social media accounts of employees or applicants. The Financial Industry Regulatory Authority (FINRA) has stated that financial institutions need an avenue to check “red flags” on personal account misuse. The proposed state laws, FINRA argues, could put investors at risk, the report states. FINRA has reached out to lawmakers in approximately 10 states, asking them to include changes to proposed employee privacy legislation. California lawmakers—in whose state the employee privacy law has already gone into effect—“rebuffed requests” by FINRA and other industry groups to include exemptions. Wisconsin is currently considering similar employee legislation. (Registration may be required to access this story.)

CLOUD COMPUTING—EU & U.S.

ITA Says Safe Harbor Covers Cloud Technology (April 23, 2013)

The U.S. Department of Commerce’s International Trade Administration (ITA) has published a report saying that U.S. companies’ compliance with Safe Harbor principles guarantees sufficient data protection, regardless of whether outsourcing contracts involve cloud computing, Out-Law.com reports. The ITA says because Safe Harbor is binding on all countries in the European Economic Area, EU data protection authorities cannot "unilaterally refuse to recognize Safe Harbor certification as a valid means of demonstrating that a service provider ensures an adequate level of data protection," contrary to an Article 29 Working Party opinion released last year. One expert suggests the ITA has “not recognized some regulatory burdens facing some clients of U.S. cloud providers.”
Full Story

CONSUMER PRIVACY—U.S.

FTC Urges States To Look at Data Brokers (April 23, 2013)

In a speech to the National Association of Attorneys General, FTC Commissioner Julie Brill urged states to be more active in investigating data brokers for contravening the Fair Credit Reporting Act, Lexology reports. The FTC recently sent out letters warning companies that compile data on individual’s rental histories. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—EU & UK

Opinion: Right To Be Forgotten Not Likely “To Live Up to the Hype” (April 23, 2013)

In a blog for The Guardian, data protection analyst Sally Annereau suggests the proposal for a right to be forgotten, which she describes as “a legal right to do a digital disappearing act” will probably not “live up to the hype.” Annereau writes, “In particular, there are genuine concerns that this legal right will fail to deliver on the expectations it creates and will present significant challenges for businesses that have to comply. Rather than a right to be forgotten, we may end up with nothing more than a right to be frustrated.” Editor’s Note: Privacy Perspectives recently discussed the idea of a “right to be forgiven.”
Full Story

ONLINE PRIVACY—U.S.

Microsoft Launches Public Awareness Campaign (April 23, 2013)

Microsoft is introducing a public awareness campaign that includes TV, print, billboard and online ads as well as a quiz to determine consumer attitudes on privacy. The quiz aims to get people talking about their attitudes on privacy, reports The Washington Post. “It assesses how much you are interested in managing access to your information online,” said Mary Snapp, Microsoft corporate vice president and deputy general counsel, adding, “It enables you to talk about privacy choices with your friends and family.” Microsoft is rolling out the campaign in Washington, DC, and Kansas City, MO, where competitor Google “might be exposed” an Ad Age report notes. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Fireworks Expected at Senate DNT Hearing (April 23, 2013)

AdWeek previews Wednesday’s Do-Not-Track privacy hearing and the potential “fireworks” that may ensue. Called by Sen. Jay Rockefeller (D-WV), the hearing will feature testimony from privacy advocates and the advertising industry. The report states that privacy groups, along with Rockefeller, are becoming impatient with the pace of the World Wide Web Consortium and the Commerce Department’s multi-stakholder meetings for mobile apps. Consumer Watchdog Privacy Director John Simpson said, “The pace with both…has been glacial…We need the big stick of legislation,” and added, “It’s the only way to drive anything forward on either front.” The Digital Advertising Alliance’s Lou Mastria will testify as well and will defend the industry’s participation in the self-regulatory program, according to the report.
Full Story

SURVEILLANCE—U.S.

The Power and Limits of Facial Recognition (April 23, 2013)

Salon interviews Carnegie Mellon computer scientist Alessandro Acquisti to explore why, according to Boston’s police commissioner, facial recognition technology did not help identify the Boston bombing suspects. Among the “three or four potential hurdles,” Acquisti said image quality, available data stored in databases to match images, the high cost of such software and the problem of false positives may have all played a role. Meanwhile, Google Executive Chairman Eric Schmidt and Google Ideas Director Jared Cohen “forecast the raft of new innovation and corresponding threats that will arise for dictatorships, techno revolutionaries, terrorists and you” in an NPR interview.
Full Story

CYBERSECURITY

Data Breach Studies Highlight Risks (April 23, 2013)

IDG News Service reports that Verizon will soon publish its 2013 Data Breach Investigations Report, which compiled information from over 47,000 security incidents and 621 confirmed data breaches. The study explored financially motivated criminal attacks as well as cyber espionage. Analysts noted that in “four out of five breaches, the attackers stole valid credentials to maintain a presence on the victim’s network” and that mobile devices and cloud technologies were not major targets. Meanwhile, the British Department for Business, Innovation and Skills says small- and medium-sized businesses (SMBs) are increasingly the targets of cybersecurity attacks, and it will extend its Innovation Vouchers scheme to SMBs, allowing them to apply for funding to invest in cybersecurity.
Full Story

SURVEILLANCE—U.S.

Technology Aids Investigations, But at What Cost? (April 22, 2013)
In the aftermath of the Boston Marathon bombings, experts are examining the use of video surveillance and analysis to solve crimes. While technological advances and government use of surveillance enables faster identification and tracking of individuals, the debate over how to balance privacy rights with the needs of authorities continues, The Wall Street Journal reports. Some are concerned that data collected for one investigation—or even for an entirely different purpose, like applying for a license—will be retained and used in unrelated investigations. Some European regulators have expressed discomfort with the level of surveillance in the U.S. “Surveillance doesn’t give more security. That’s our experience,” said Schleswig-Holstein Data Protection Commissioner Thilo Weichert. (Registration may be required to access this story.)

PRIVACY LAW—EU & U.S.

FTC’s Brill Looks To Smooth EU-U.S. Privacy “Rift” (April 22, 2013)

The Wall Street Journal reports on comments made in Brussels by FTC Commissioner Julie Brill. “I don’t want to say there’s confusion about the U.S. privacy regime,” Brill told reporters, “but there does seem to be a lack of understanding about how robust it is and how much enforcement work we actually do and how strong the laws are that we do have in sensitive areas.” Brill noted, “Last year we issued what I call our big privacy rethink…Many of the principles we talked about are actually reflected in the proposed EU regulation.” Facebook Chief Operating Officer Sheryl Sandberg said, “I believe there is a perception and fear that because we are American we don’t take privacy as seriously as Europeans do…If there is a single American who cares as much about privacy—just one—as someone in Germany, then we have to understand it.” (Registration may be required to access this story.)
Full Story

BIG DATA—U.S.

Analyzing Employee Behavior To Inform HR (April 22, 2013)

An emerging field known as workforce science is using Big Data to analyze worker behavior and apply it to human resource management, reports The New York Times. The field aggregates and analyzes patterns in employees’ digital history as well as personality-based assessments to guide hiring, firing and promotions, raising some questions about worker surveillance, the report states. “The larger problem here is that all these workplace metrics are being collected when you as a worker are essentially behind a one-way mirror,” says Marc Rotenberg of the Electronic Privacy Information Center. (Registration may be required to access this story.) Editor’s Note: Read more about privacy in HR in this Privacy Perspectives post.
Full Story

DATA PROTECTION—EU & U.S.

Is There an EU-U.S. Privacy Gap? Maybe Not a Big One (April 22, 2013)

“Privacy has always been a difficult concept to define, and privacy issues are complex,” writes IAPP President and CEO J. Trevor Hughes, CIPP/US, for the IAPP blog Privacy Perspectives. In Europe, privacy is a human right, while in the U.S. privacy tends to be thought of in terms of liberty. Are there are more similarities than differences when it comes to privacy on each side of the Atlantic? Europeans and Americans might have more in common than you’d think.
Full Story

ONLINE PRIVACY

New Media Asset Tracking System Introduced (April 22, 2013)

A media industry organization has announced the results of a two-year study on a new coding system that tracks media assets—from video clips to commercials, The New York Times reports. The Coalition for Innovative Media Measurement said the system would increase revenue by the billions for media companies and help them determine where, when and how content is viewed. One analytics representative said the system would help advertisers specifically tailor ads and allow media companies “to spend less time putting the data together and more time doing analysis.” Meanwhile, a new survey from the University of Southern California reveals that Millenials—those between the ages of 18 and 34—tend to be more willing to share personal information with marketers, particularly when there’s a relevant exchange of information. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—GERMANY

145,000-Euro Fine for Google (April 22, 2013)

Hamburg authorities have fined Google 145,000 euros for collecting data from unsecured wireless networks while collecting photos for its Street View services, The Economic Times reports. Google has said the collection was a mistake and the company never analyzed the information, which it has expunged. But Hamburg Data Protection Commissioner Johannes Caspar said, "In my opinion this case constitutes one of the biggest known data protection violations in history," noting that by law, the maximum fine his office can levy for an accidental violation is 150,000 euros.
Full Story

CLOUD COMPUTING

Clarifying Privacy in the Cloud (April 22, 2013)

The “cloud” is maybe the most buzzed-about Internet sensation of the past five years, but how does working in the cloud change your privacy thinking? Maybe not as much as you think, John Wunderlich, CIPP/C, head of privacy consultancy Wunderlich & Associates told The Privacy Advisor. “What’s old is new again…you’re outsourcing to a provider who has expertise that you don’t have.”
Full Story

PRIVACY LAW—EU

Vote on Regs Delayed Until Late May (April 19, 2013)
A final vote on the EU data protection proposal was scheduled to take place Wednesday, but the Civil Liberties, Justice and Home Affairs Committee (LIBE) has postponed it until May 29-30, Marketing Magazine reports. Industry is lobbying heavily against the proposal, which they say will stifle business and innovation in member states. John Pooley, of specialist agency the Data Partnership, says the proposed changes “will render both targeting and analytics and almost anyone currently engaged in digital marketing to have to review their current practices.” The delay is being attributed to an effort to concentrate on the fallout over the banking crisis in Cyprus, the report states.

CYBERSECURITY—U.S.

House Passes CISPA (April 19, 2013)

The U.S. House of Representatives Thursday passed a version of the Cyber Intelligence Sharing Act (CISPA), The Washington Post reports. The bill aims to encourage the sharing of threat data between the government and private sector. President Barack Obama earlier this week threatened to veto CISPA if it did not include stronger privacy protections. CISPA co-sponsor Rep. Mike Rogers (R-MI) said, “Our goal is to get the Senate to pass a bill…We’d love to get a bill in conference.” An amendment proposed by Rep. Alan Grayson (D-FL) that would have required law enforcement to secure a “warrant obtained in accordance with the Fourth Amendment” prior to searching databases for criminal wrong doing was not included in the bill. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Apple Responds to ACLU’s Siri Concerns (April 19, 2013)

Apple has responded to concerns raised by the American Civil Liberties Union (ACLU) about ambiguous information in its Siri privacy policy, WIRED reports. Terms, such as “disassociated” and “period of time” have now been clarified by Apple spokeswoman Trudy Muller. “Apple may keep anonymized Siri data for up to two years,” Muller says, adding, “If a user turns Siri off, both identifiers are deleted immediately along with any associated data.” But ACLU Lawyer Nicole Ozer says Apple should do more, including linking to the Siri privacy policy from its FAQ page so consumers can review data-handling practices prior to purchasing the company’s products.
Full Story

PRIVACY LAW—U.S.

Sen. Grassley Signals ECPA Reform Support (April 19, 2013)

The Hill reports on comments made by Sen. Chuck Grassley (R-IA) signaling support for reforms to the Electronic Communications Privacy Act (ECPA). “I would anticipate this year that there wouldn’t be any problem getting (the bill) out at whatever meeting you want to bring it up,” Grassley told Senate Judiciary Chairman Patrick Leahy (D-VT) at a meeting this week. Leahy said he will bring the “e-mail privacy bill” to a vote at the next committee meeting. “I have long believed that our government should obtain a search warrant—issued by a court—before gaining access to privacy communications,” Leahy said.
Full Story

BIG DATA—U.S.

The ZIP Code Data Trail (April 19, 2013)

CNN reports on the data trail established when consumers willingly give their ZIP code to offline retailers when making a purchase. The combination of a name—given during a credit card purchase—and a ZIP code can help data brokers link a consumer’s purchasing habits with publicly available records for the purposes of targeted advertising. Privacy Rights Clearinghouse Director of Policy Paul Stephens said, “For the majority of the country, the ZIP code is going to be the piece of the puzzle that is going to enable a merchant to identify you.” The Massachusetts Supreme Court recently ruled that ZIP codes are personal information, preventing retailers from asking for ZIP codes for marketing purposes. Editor's Note: Read more about courts' recent ZIP code rulings in the May edition of The Privacy Advisor.
Full Story

BEHAVIORAL TARGETING—U.S.

Survey Shows Consumers Want Some Targeted Ads (April 19, 2013)

A Digital Advertising Alliance (DAA) survey has shown that nearly 70 percent of respondents would like at least some targeted advertisements, Ad Week reports. "It's unfortunate that targeted advertising has been conflated with all kinds of privacy fears," said DAA Managing Director Lou Mastria, adding that he hopes the study will inform the debate surrounding the necessity of legislation. "We asked real specific questions about the real-world proposition, the value exchange between advertising and the experience on the Internet," he continued. "And that yields clear answers." However, Annenberg School of Communications Prof. Joseph Turow analyzed the poll and expressed doubts over the validity of results.
Full Story

CONSUMER PRIVACY—U.S.

Ramirez: Functioning DNT System “Long Overdue” (April 18, 2013)
In a speech to the advertising industry this week, Federal Trade Commission Chairwoman Edith Ramirez impelled the industry to work with the World Wide Web Consortium to develop a browser-based Do-Not-Track standard. AdWeek reports Ramirez’s position surprised attendees by implying that the Digital Advertising Alliance's (DAA) self-regulatory program doesn’t suffice and championing cookie-blocking initiatives by Mozilla and Microsoft. DAA Counsel Stu Ingis reacted saying, "We keep getting demagogued by the FTC…The DAA’s program covers 100 percent of the advertising ecosystem,” adding, “The problems have been caused by two browser companies." Sen. John (Jay) Rockefeller (D-WV) is also pushing for Do-Not-Track and has scheduled a hearing on the issue next Wednesday.

ONLINE PRIVACY

The Intersection of Privacy and Hate Speech (April 18, 2013)

With recent tragedies in Boston and overseas, Future of Privacy Forum Founder and Co-Chair Christopher Wolf asks, “What motivates people to burn with hate to such a degree that they take innocent lives?” In this latest installment of the IAPP’s Privacy Perspectives blog, Wolf, who also serves on the board of the Anti-Defamation League, explores the intersection of online privacy and hate speech and whether privacy should sometimes “take a backseat” in order to curtail hate speech.
Full Story

PRIVACY LAW—ITALY

Google Chiefs To Face Prosecutorial Appeal in Video Case (April 18, 2013)

Google’s Senior Vice President David Drummond, Chief Legal Officer Peter Fleischer and Chief Privacy Counsel George Reyes head back to Italy to face an appeal brought by the prosecutor of a 2010 case over alleged privacy offences involving a video posted to the now-defunct Google Video service. The executives were originally given suspended six-month sentences, which were then overturned. The report states the prosecutor will now appeal the case to the Italian Court of Cassation arguing that employees can be responsible for content uploaded by users and that services should be responsible for pre-screening user-created content.
Full Story

PRIVACY LAW—U.S.

SCOTUS: Warrant Needed for DUI Testing (April 18, 2013)

The Supreme Court ruled on Wednesday that in most cases police need to try to obtain a search warrant prior to ordering blood tests for suspected drunk drivers, NPR reports. The court sided with the defense in Missouri v. McNeely, which argued that taking the defendant’s blood without his consent or a warrant violated his Fourth Amendment rights. Justice Sonia Sotomayor wrote that natural dissipation of alcohol in the blood is not generally a sufficient reason to dispense with the warrant requirement. The court did not offer guidance on when police may obtain a blood sample without a warrant, but the report states Justice Anthony Kennedy said an upcoming case may give the court an opportunity to say more.
Full Story

CONSUMER PRIVACY—U.S.

FTC Seeks Input on “Internet of Things” (April 18, 2013)

The Federal Trade Commission (FTC) is seeking input from the public through June 1 concerning the privacy implications of the “Internet of Things.” The term describes the ability of cars, appliances and medical devices to communicate with each other and people. Ahead of a public workshop to be held in November, the FTC aims to determine how privacy will be balanced with the benefits of such technology, among other concerns.
Full Story

DATA PROTECTION—U.S.

Opinion: Why Worry About NSA Database? You Give That Data Freely (April 18, 2013)

In a piece for ZDNet, David Chernicoff discusses the Utah datacenter being built for the National Security Agency. Chernicoff, a veteran of the technology world, says he received numerous e-mails on the datacenter over concerns on the government’s ability to track and store information on any citizen and its authority to read any e-mail. Chernicoff’s response? “Yes, the government can build facilities that will potentially have the capability to seriously invade your privacy. But why should they bother when the vast majority of the country is already giving up that information freely?”
Full Story

CYBERSECURITY—U.S.

White House Issues Formal CISPA Veto Threat (April 17, 2013)
The White House has formally issued a veto threat against the Cyber Intelligence Sharing and Privacy Act (CISPA), CNET News reports. Aides to President Obama said yesterday they “would recommend that he veto” a House-approved version of the bill. The formal statement said the White House “remains concerned that the bill does not require privacy entities to take reasonable steps to remove irrelevant personal information when sending cybersecurity data to the government or other private-sector entities.” Meanwhile, a proposed amendment to CISPA that would have ensured companies’ privacy promises were enforceable was voted down in the House Rules Committee.

ONLINE PRIVACY—U.S.

IRS Will Obtain Warrant Prior to E-mail Access (April 17, 2013)

In response to news last week that the Internal Revenue Service (IRS) does not obtain warrants prior to accessing suspects’ electronic communications, IRS Acting Commissioner Steven Miller said the no-warrant policy for e-mails will be abandoned, CNET News reports. Testifying in front of the Senate Finance Committee, Miller said it’s currently the IRS’s policy to get a “search warrant in advance” of accessing a suspect’s e-mail, but he said he didn’t know if that policy extended to other electronic communications such as Facebook or Twitter.
Full Story

ONLINE PRIVACY—EU

If Google Cares About Cookie Consent, So Should You (April 17, 2013)

In light of news that Google has posted language about its cookie use on websites in the EU, Field Fisher Waterhouse Partner Phil Lee, CIPP/E, writes, “This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon…the implications become huge” for several reasons.
Full Story

SURVEILLANCE—UK

Group Challenges Gov’t Over Spyware Investigation (April 17, 2013)

Human rights group Privacy International has announced it is challenging the British government for unlawful conduct during an investigation into the export of surveillance tool FinFisher. The tool is designed to monitor communications and collect hard drive data and is capable of conducting live surveillance via webcams. Privacy International says Her Majesty’s Revenue and Customs (HMRC) illegally declined to provide information related to its investigation of the technology’s shipment to countries with “poor human rights records.” The group has filed a judicial review application at the High Court in London. If the legal action is successful, “it could set a precedent for other cases in the UK,” Slate reports.
Full Story

TRAVELERS’ PRIVACY—CANADA

Gov’t Updates Body Scanners (April 17, 2013)

Minister of State (Transport) Steven Fletcher has announced that the Canadian government is deploying software on Canada’s full body scanners to enhance passenger privacy, The Herald reports. The new Automatic Target Recognition software is now being updated to produce a computer generated stick figure rather than displaying an outline of the passenger’s body, the report states. “Our government is committed to ensuring the safety and security of all passengers traveling through Canadian airports,” Fletcher said.
Full Story

MOBILE PRIVACY

Google Releases Glass App Developer Guidelines (April 17, 2013)

The New York Times reports that Google has released “extensive” guidelines for software developers aiming to build apps for the company’s wearable, Internet-connected glasses. According to the report, the guidelines are “much more restrictive” about Google Glass than has been the case with other products because of perceived consumer privacy concerns. Developers cannot sell ads, collect user data or share data with ad companies. A Forrester analyst said, “What we find is the more intimate the device, the more intrusive consumers perceive advertising is.” Google said to developers, “Be honest about the intention of your application, what you will do on the user’s behalf and get their explicit permission before you do it.” (Registration may be required to access this story.)
Full Story

BIG DATA—U.S.

Opinion: Data Analysis Could Help in Marathon Investigation (April 17, 2013)

Scott Sigmund Gartner writes for USA TODAY that while privacy concerns persist with Big Data, it also may be the investigative tool that helps expose those responsible for Monday’s bombings at the finish line of the Boston Marathon. By combing through the thousands of videos from spectators, media and security cameras, authorities can crunch “an unimaginable amount of data through social network, facial recognition, geographical information systems and other analytical algorithms,” possibly revealing “who seems to be there for the race, for business or possibly for evil intent.” He added, “One of the frequently misunderstood implications of Big Data is how seemingly unimportant information can be very, very salient.”
Full Story

DATA PROTECTION—CHINA

Opinion: Guidelines Help, But Lack Enforcement (April 17, 2013)

China’s guidelines for personal information protection for public and commercial services “not only shed some much-needed light on the mainland’s data privacy regime, but also pave the way for more comprehensive regulation in the future.” That’s according to Scott Thiel of DLA Piper Hong Kong, who says in South China Morning Post that the guidelines are the mainland’s “first significant attempt at defining data privacy concepts for more general application,” but adds the application is limited in scope as it only applies to personal information stored in computer networks and only to the private sector. Additionally, the guidelines are not enforceable by law, but are instead a voluntary national standard.
Full Story

ONLINE PRIVACY—EU

Google Adds Cookie Notification to EU Search (April 16, 2013)
Google has added cookie notification language on its search and results pages to users in the EU, AdAdge reports. The company has also reportedly switched from using the Digital Advertising Alliance icon to its own “i” icon information. Field Fisher Waterhouse Partner Phil Lee, CIPP/E, said, “This is a signal to the market that a very major player like Google is taking cookie consent seriously.” AdWeek reports on the implications of third-party cookie blocking for large and small businesses. “In a cookieless world, publishers with business models that naturally collect strong names and addresses and other personally identifiable information (PII) are going to be able to…connect to CRM databases,” an Acxiom representative said, adding, “For publishers that have a weak PII story, they’ve been more heavily reliant on the cookie world.” (Registration may be required to access this story.)

CHILDREN’S PRIVACY—U.S.

IAB Asks FTC for Delay on New COPPA Implementation (April 16, 2013)

Changes to the privacy rules within the Children’s Online Privacy Protection Act (COPPA), slated to be published by the Federal Trade Commission (FTC) in the form of FAQs “sometime this month,” have prompted an industry advertising group to ask the FTC for a six-month delay on implementation, AdWeek reports. “It’s a complete makeover and that will take time,” said Interactive Advertising Bureau Senior VP and General Counsel Mike Zaneis, adding, “They’ll need time to determine if they can bear the burden of a strict liability regime or convert to a pay-for-content model.” Morrison Foerster Partner D. Reed Freeman, Jr., CIPP/US, noted the changes are “a market-altering event…It won’t be the end of the world, but there will be a lot of fallout first.”
Full Story

PRIVACY COMMUNITY

A Tragedy We Can’t Ignore (April 16, 2013)

While there are privacy issues inherent in any national tragedy, this installment in the IAPP’s Privacy Perspectives is not about privacy per-se, but about the recent tragedy marring the historic running of the Boston Marathon, how this event hit close to home here at the IAPP and our shared sadness for all those whose lives have been forever changed by this act of violence.
Full Story

ONLINE PRIVACY—U.S.

SCOTUS Refuses E-mail Privacy Case; Senate To Take Up ECPA Reform (April 16, 2013)

The Supreme Court has declined to hear a case that could test the boundaries of federal protection of e-mail privacy, The Christian Science Monitor reports. An appeal in Jenning v. Broome asked the court to resolve differing lower court rulings by a California appeals court and the South Carolina Supreme Court. Meanwhile, the U.S. Senate is prepared to mark up legislation this Thursday that would mandate police obtain warrants prior to searching citizens’ e-mails, The Hill reports. Bill co-sponsor Sen. Patrick Leahy (D-VT) said, “Safeguarding Americans’ privacy rights is not a Democratic issue or a Republican issue—it is something that is important to all Americans, regardless of political party or ideology.”
Full Story

CONSUMER PRIVACY—U.S.

FTC Chairwoman Releases 2013 Annual Highlights (April 16, 2013)

Newly appointed Federal Trade Commission (FTC) Chairwoman Edith Ramirez released the agency’s 2013 Annual Highlights, calling attention to several of its initiatives including protecting consumer privacy, challenging deceptive advertising and safeguarding children online. Ramirez said, “As we head into our second century, the FTC is dedicated to advancing consumer interests while encouraging innovation and competition in our dynamic economy.”
Full Story

DATA LOSS

93 Percent Knowingly Breach Company Data Policies (April 16, 2013)

A recent breach affecting St. Louis-based Schnucks supermarket chain was exacerbated by the company’s inability to detect the source, COMPUTERWORLD reports. As a result, the number of credit and debit cards exposed continued to grow, capping at about 2.4 million. The company has hired a third party to investigate. Meanwhile, Global Payments, Inc., says it is closing its investigation of a March 2012 breach that exposed 1.5 million debit and credit cards. The breach cost the company $92.7 million in expenses. And Financial Times reports on a recent survey of 165,000 employees indicating nine out of 10 knowingly breach employers’ data policies.
Full Story

BEHAVIORAL TARGETING

Product Stops Third-Party Tracking (April 16, 2013)

The New York Times reports on a California start-up’s product allowing individuals to view which companies are tracking them online. The browser extension, Disconnect, aims to help users safeguard browsing history. First-party trackers are still permitted to follow a user, but the data won’t be shared with third-party websites, and ads won’t be served based on such data. “We are stopping that flow of data as you bounce around the web,” said the company’s co-founder. “Third-party retargeters are not going to have information about you.” The filters are distinct from Do-Not-Track signals. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—EU & U.S.

The Challenges of Geography-Based Regulations (April 16, 2013)

San Francisco Chronicle explores the challenges that come with geographically differing regulations for online privacy. California, for example, has more defined privacy laws than other U.S. states, but non-California-based Internet companies accessed by California residents are still required to follow California law. Developer Jonathan Nelson says, "The thought of an 'international boundary' when it comes to data is really silly to me," adding, "It's archaic." But the EU is also considering regulations that say any online business used by EU citizens is subject to EU privacy laws. Parker Higgins of the Electronic Frontier Foundation adds, "The best approach isn't necessarily legislating every situation” but “giving consumers the information they need to make choices for themselves." (Registration may be required to access this story.)
Full Story

GENETIC PRIVACY—U.S.

Will DNA Database Become Public? (April 15, 2013)
The New York Times reports on a privately owned database containing information on DNA mutations that increase cancer risk and a corresponding grassroots project aimed at making that data public. Owned, built and kept private by Myriad Genetics, the database contains millions of tests on genetic mutations—data to which several researchers want access. The project, Sharing Clinical Reports, asks cancer clinics and doctors around the country to share all Myriad data they have from patient tests, and, according to the report, none of the data contains patient identifiers. On Monday, the Supreme Court will also hear a case that may determine whether two patents of genes owned by Myriad are legal. (Registration may be required to access this story.)

CONSUMER PRIVACY—U.S.

FTC Approves Computer Spying Final Order (April 15, 2013)

The Federal Trade Commission (FTC) has approved nine final orders settling charges against seven companies and a software design firm, including two principles accused of using the software and computers to spy on customers. According to the FTC press release, “the respondents will be prohibited from using monitoring software and banned from using deceptive methods to gather information from consumers.” The settlements will also require the companies to get consent from users prior to using geophysical location tracking and to maintain records for the next 20 years to enable the FTC to assess compliance.
Full Story

MOBILE PRIVACY

Tech Firms Unveil Ad-Blocking Tools (April 15, 2013)

Two tech companies have started offering ad-blocking tools for mobile users, AdAge reports. Evidon is delivering the Ad Choices icon and the opt-out system for users, while TRUSTe has upgraded its real-time bidding system so that advertisers know prior to bidding that the user cannot be targeted for behavioral data, the report states. The moves come before the Digital Advertising Alliance (DAA) has published any mobile guidelines. DAA Counsel Stu Ingis said those guidelines could come “this spring—a few weeks to a couple of months.” TRUSTe’s Kevin Trilli said, “That is why we didn’t wait, and why we just started to build.”
Full Story

SOCIAL NETWORKING—U.S.

State AGs and Facebook Align To Educate Youth (April 15, 2013)

The National Association of Attorneys General (NAAG) and Facebook are launching plans to educate children and their parents about privacy and online safety, ABC News reports. NAAG President and Marlyland Attorney General Doug Gansler said, “There are more and more parents now who understand Facebook and how it works and how their children are using it but don’t necessarily understand the privacy settings and how they work.” The partnership will launch several different online tools, including a Facebook page featuring information on privacy settings, best practices and privacy control tips. Editor’s Note: Intel Global Privacy Officer David Hoffman, CIPP/US, recently wrote about accountability and the importance of privacy education in the IAPP’s Privacy Perspectives.
Full Story

PRIVACY LAW—U.S.

Plaintiff Loses IMDb Suit (April 15, 2013)

MediaPost Blogs reports a jury has rejected claims by an actress that IMDb violated its own privacy policy by disclosing her date of birth. “It's not known why the jury rejected actress June Hoang's claim,” the report states. “But the trial did make at least one thing very clear: Lying about your age isn't easy in the era of Big Data.” Hoang sued IMDb.com in 2011, alleging the company violated its privacy policy by allegedly accessing her credit card datawhich was supposed to remain confidential. IMDb.com countered that the “fine print in its privacy policy gave it cover,” the report states.
Full Story

PRIVACY

Getting More Privacy Pros Into HR (April 15, 2013)

In a recent column in The Globe and Mail, an employee poses a question to human resource experts about her company’s changing internal policy on criminal background checks and her discomfort with those changes. This IAPP Privacy Perspectives blog post explores how a privacy pro or department could both assuage employee concerns and help roll out difficult, but often necessary, company policies.
Full Story

DATA LOSS—UK

Device Losses Lead to Inquiry (April 15, 2013)

The Information Commissioner’s Office (ICO) is looking into the BBC’s recently reported loss of 785 devices, reports V3.co.uk. An ICO spokesperson said the office had not been informed of the incident, but it will “be making further enquiries into the loss of this equipment to find out the full details.” A freedom of information request revealed 399 laptops, 347 mobiles and 39 tablets lost or stolen at the BBC, which the report states is “probably low” for an organization of its size. The BBC told V3 that it has no official figures on how many devices have been issued to staff.
Full Story

PRIVACY LAW—U.S.

Case May Determine Text Message Privacy Rights (April 12, 2013)
The Washington State Supreme Court is expected to hear two cases next month involving the privacy of text messages in criminal proceedings. In both cases, alleged drug users were arrested after police intercepted their text messages without a warrant. An earlier appellate court case ruled the expectation of privacy of text messages “terminates upon delivery,” Courthouse News Service reports. Calling text messaging “the 21st-century phone call” in an amicus brief, the Electronic Frontier Foundation has argued the lower court’s decision to uphold the warrantless case “ignored the technological realities of text messaging and threatened to erode privacy protection to a ubiquitous form of communication in the United States.” The high court will hear arguments on May 7. Meanwhile, customers suing Apple for privacy violations are seeking monetary sanctions in a pretrial discovery dispute, Bloomberg reports.

CYBERSECURITY—U.S.

White House: CISPA Not Doing Enough for Privacy (April 12, 2013)

The Obama administration has issued a statement indicating it is unlikely to support the Cyber Intelligence Sharing and Protection Act (CISPA) in the form passed this week by the House Intelligence Committee, Los Angeles Times reports. “While stopping short of an outright veto threat that many privacy activists may have wanted, the statement made clear that the administration does not believe the bill in its current form does enough to safeguard personal information,” the report states. The committee voted 18-2 in support of CISPA after removing four amendments aimed at increased privacy protections.
Full Story

ONLINE PRIVACY

The Right To Be Remembered? (April 12, 2013)

Google announced yesterday on its Public Policy Blog a new service it’s calling Inactive Account Manager. What it essentially allows is for customers to designate “trusted contacts” to receive their Google data in the event of their death or inability to access their Google products. It also, however, allows users to decide to have their information deleted automatically following a specified period—three, six, nine or 12 months—of inactivity. Kashmir Hill notes in Forbes that some have already taken to calling the service “Google Death Manager” and wonders how you’ll use it.
Full Story

PRIVACY LAW—U.S.

Idaho Passes Drone Privacy Law (April 12, 2013)

Amid growing concerns over privacy, Idaho Governor C.L. “Butch” Otter signed a law restricting the use of unmanned aerial aircraft (UAV) by law enforcement and other public agencies, the Chicago Tribune reports. Idaho now becomes the second state, after Virginia, to pass legislation limiting UAV use. To use the burgeoning technology, law enforcement will need to obtain a warrant prior to collecting evidence on suspects, unless the criminal activity involves illegal drugs or if the UAV is being used for public emergencies or rescue missions, the report states. Idaho Assistant Majority Leader Chuck Widner said, “We’re trying to prevent high-tech window-peeping.”
Full Story

EMPLOYEE PRIVACY—CANADA & U.S.

Experts Ponder Background Check Question (April 12, 2013)

In The Globe and Mail’s “Nine to Five” feature, two human resources experts weigh in on questions about policies requiring employees to undergo criminal background checks. One U.S.-based expert suggests “there are limits to what a company can request of its employees. Your employer must comply with applicable federal, provincial and local employment laws.” She notes, however, that such a policy may be completely legal. A Canada-based expert cautions, “These types of background checks will likely become standard across organizations providing services to others, such as professional consulting services, and within the financial industry.”
Full Story

CHILDREN’S PRIVACY—CANADA

Surveillance Use Sparks Concerns (April 12, 2013)

In its most recent blog, the Office of the Privacy Commissioner (OPC) considers “the prevalence of high-tech surveillance tools in the day-to-day lives of children” in the wake of an investigation into a complaint about a daycare offering webcam monitoring services to parents. “Specifically, we wondered how technical surveillance might affect kids’ feelings about privacy,” the OPC blog states, noting, “Some research suggested that persistent surveillance could even result in children not knowing how to establish their own privacy, or recognize the privacy of others.” The blog points out, however, that the question “is only beginning to be studied.”
Full Story

PRIVACY LAW—U.S.

Opinion: Increased Gov’t Data Sharing Mandates Increased Oversight (April 12, 2013)

While it may be a “natural application of Big Data” for government agencies to search already collected information about U.S. citizens for suspicious patterns of behavior, Alex Howard, writing for O’Reilly Radar, says the expanded rules on government data sharing that went into effect last year are concerning. First reported by Julia Angwin at The Wall Street Journal, these new database search powers, Howard argues, are unlikely to be sufficiently checked by the privacy professionals who were bowled over when they objected to them in the first place.
Full Story

PRIVACY LAW—CANADA

Breach Notification Requirements Examined (April 12, 2013)

In this exclusive for The Privacy Advisor, PwC Data Protection & Privacy Practice Manager Ron De Jesus, CIPP/US, CIPP/C, CIPP/EU, CIPP/IT, examines Canada’s lack of federal privacy breach notification regulation. “Individual provinces have tackled breach notification in various forms,” he writes, noting, “The resulting legal landscape for notifying individuals or relevant privacy authorities following breaches of personal information is a patchwork at best.” De Jesus highlights the changes expected as federal and private-sector organizations subject to the federal Personal Information Protection and Electronic Documents Act “will soon be expected, under proposed amendments to the act by Bill C-12, to report ‘material’ breaches to the federal privacy commissioner.”
Full Story

BIG DATA

Acxiom To Unveil Transparency Service (April 11, 2013)
Financial Times reports on plans by consumer data broker Acxiom to introduce a service allowing consumers to access data collected about them. In recent months, the U.S. Federal Trade Commission has placed the data broker industry under the microscope. Acxiom Chief Marketing and Strategy Officer Tim Suther said, “We live in an era when transparency is important,” adding, “We’re listening to that and trying to be even more transparent with people who are interested in understanding what companies like Acxiom do with information.” The company said the service may be available later this year, but it is working on identity theft protection and other logistical obstacles. (Registration may be required to access this story.)

MOBILE PRIVACY—U.S.

Harris Speaks on Balancing Privacy and Innovation (April 11, 2013)

During a conference on Wednesday for app developers and others in the mobile arena, California Attorney General Kamala Harris highlighted the importance of balancing privacy protections with innovation, reports PCWorld. “We’re here to encourage that innovation and to work together to figure out how we can balance the litigation interests at play when we talk about the need for the consumer to have information and the right that consumers should have to determine what they want to give up for what they get,” Harris said. Some attendees were unsure whether Harris’ remarks, and similar comments from the FTC, signaled excitement in their work or a readiness to take legal action against it.
Full Story

HEALTHCARE PRIVACY—U.S.

What Does a Five-Year-Old Know that Privacy Laws Don’t? (April 11, 2013)

In the latest IAPP Privacy Perspectives blog post, Stanley Crosley, CIPP/US, CIPM, director of the Indiana University Center for Law, Ethics and Applied Research (CLEAR) in Health Information, questions whether intuitive notions around privacy are being stymied by overly prescriptive health privacy law. Crosley writes, “We’ve taken a basically intuitive and practical principle and turned it into a labyrinth of thousands of national and local laws, regulations, rulings and opinions,” and in the meantime, people in healthcare “continue to suffer and die.”
Full Story

DATA LOSS—CANADA

Revelations Continue in Student Loan Incident (April 11, 2013)

Information continues to trickle in, revealing the true import of the external hard drive loss that has exposed personal information about 583,000 Canadian student loan borrowers. This week, POSTMEDIA NEWS has discovered the drive also contained business plans and financial information about the Canada Student Loan program, along with “investigative reports” on applicants whose eligibility was questionable. Privacy Commissioner Jennifer Stoddart continues to investigate the data loss, which also includes a missing USB stick, and that inquiry has grown to include the Department of Justice.
Full Story

HEALTHCARE PRIVACY—U.S.

Court: HIPAA Trumps Florida Disclosure Law (April 11, 2013)

The 11th U.S. Circuit Court of Appeals has ruled unanimously that a federal law requiring licensed nursing homes to disclose deceased residents’ medical records only to a designated “personal representative” trumps a Florida state law allowing disclosure to individuals including spouses, guardians, surrogates or attorneys who request them. The Miami Herald reports that Judge Susan Black wrote in the court’s decision, “The unadorned text of the state statute authorizes sweeping disclosures, making a deceased resident’s protected health information available to a spouse or other enumerated party upon request, without any need for authorization, for any conceivable reason, and without regard to the authority of the individual making the request to act in a deceased resident’s stead.”
Full Story

CYBERSECURITY—U.S.

Four CISPA Privacy Provisions Axed (April 11, 2013)

Four privacy amendments proposed for the Cyber Intelligence Sharing and Protection Act (CISPA) did not survive a House Intelligence Committee vote, reviving concerns that the National Security Agency and others could gain extensive access to citizens’ personal information, CNET reports. Among the amendments approved is one requiring privacy officers from the Director of National Intelligence, the Justice Department and other agencies to submit annual reports to Congress about how CISPA is used. The ACLU's Michelle Richardson said, "Eighty percent of our original materials and criticism stands. It's going to take a lot of effort on our part to make sure word gets out to members of the House."
Full Story

ONLINE PRIVACY—U.S.

ACLU Draws Attention to IRS E-Mail Policy (April 11, 2013)

According to Internal Revenue Service (IRS) documents obtained by the American Civil Liberties Union (ACLU), Americans have “generally no privacy” in their e-mail and social media communications, CNET News reports. A 2009 IRS handbook obtained by the ACLU says, “e-mails and other transmissions generally lose their reasonable expectation of privacy and thus their Fourth Amendment protection once they have been sent from an individual’s computer.” An ACLU spokesman said the IRS “should formally amend its policies” to require a warrant prior to accessing e-communications. There has been growing consensus of late to update the Electronic Communications Privacy Act to require warrants by law enforcement prior to accessing electronic communications.
Full Story

ONLINE PRIVACY

Privacy Focus Remains in Microsoft’s Ad Campaign (April 11, 2013)

The third phase of Microsoft’s marketing campaign targeting Google’s privacy practices suggests Google is “more interested in increasing profits and power than protecting people’s privacy and providing unbiased search results,” The Boston Globe reports. The story suggests the ads, which one observer calls typical of an industry underdog, “say as much about the dramatic shift in the technology industry’s competitive landscape as they do about the animosity between the two rivals.” The new "Scroogled" ads, which began this week, criticize Google for sharing personal information gathered about purchasers of apps “designed to run on smartphones and tablet computers powered by Google’s Android software,” the report states.
Full Story

BEHAVIORAL TARGETING

EBay To Open Data to Marketers (April 10, 2013)
EBay will now allow advertisers to target consumers based on what that consumer has bought, similar to Amazon. The company has used such data to promote products to users, but it will now commercialize “that capability for the benefit of other marketers who want to reach shoppers,” said an eBay spokesman. “That’s something new this year.” But AdWeek reports eBay knows it risks alarming consumers and has protections in place so advertisers don't have direct access to personal information. Customers rightly “expect eBay not to tell anybody else who they are,” said a company spokesman.

DATA PROTECTION—U.S.

Gov’t Report: IRS PIAs Need Improvement (April 10, 2013)

A government report has revealed that the U.S. Internal Revenue Service (IRS) has not yet installed appropriate processes ensuring Privacy Impact Assessments (PIAs) are executed in a timely manner, Accounting Today reports. The Treasury Inspector General for Tax Administration (TIGTA) report made a total of 11 recommendations to the IRS. The IRS agreed with nine of the recommendations but noted it has already implemented two of them, the report states. TIGTA Inspector General J. Russell George said, “The privacy of taxpayer information is essential to taxpayer confidence in the fairness and integrity of the American system of tax administration,” adding, “It is imperative that the IRS adopt our recommendations to ensure the effectiveness of this important initiative.” Editor’s Note: For more on PIAs see Close-Up: Conducting a Privacy Impact Assessment in the IAPP Resource Center.
Full Story

BIG DATA

Company Stores Doctors’ Records, Serves Patients Ads (April 10, 2013)

The New York Times reports on a company offering doctors cloud-based electronic medical records software. Practice Fusion stores health data for 150,000 providers on 690 million patients. Its primary business is putting advertisements on those records via its relationships with testing and pharmaceutical companies. Ads are targeted to customers based on their medical records. Patient names and other identifiable information are not shared with advertisers, however. (Registration may be required to access this story.)
Full Story

STUDENT PRIVACY—U.S.

Tracking Study Habits: “It’s Big Brother, Sort of, But With a Good Intent” (April 10, 2013)

Professors at nine colleges are testing technology that allows them to get detailed reports of their students’ study habits through digital textbooks, reports The New York Times. While students’ digital textbook use has been tracked for a while now, CourseSmart individually packages information on all the students in a professor’s class. The start-up says that surveys indicated few privacy concerns, but one student who uses non-tracked forms of studying worries, ““If he looks and sees, ‘Hillary is not really reading as much as I thought,’ does that give him a negative image of me?” More than 3.5 million students and educators currently use CourseSmart textbooks, and the program is expected to be introduced broadly in the fall. (Registration may be required to access this story.)
Full Story

BIG DATA—EU

WP29: Consent “Almost Always” Required (April 10, 2013)

A new opinion issued by the Article 29 Working Party (WP) states that "free, specific, informed and unambiguous 'opt-in' consent" is almost always necessary when organizations want to use previously collected personal data in Big Data projects, reports Out-law.com. The exception may be Big Data projects that involve detecting "trends and correlations." The WP also said businesses should provide consumers with access to their “profiles,” knowledge of the underlying logic of how the profiles were created and allow consumers to correct and share the information in them. The opinion includes a four-factor criterion to help determine whether businesses’ processing activities are compatible with the purposes for which the data was first collected.
Full Story

EMPLOYEE PRIVACY—U.S.

Can Workers Opt Out of BYOD? (April 10, 2013)

In an opinion piece for ZDNet, Ken Hess opines that companies should have an escape clause for those wishing to opt out of bring your own device (BYOD) policies. “Some BYOD programs have no such clause. In other words, either you bring your own device or you don’t have one. This seems to be the case for smaller companies, but large ones may soon catch on to the ‘all or nothing’ BYOD scheme. Where does this situation leave the employee who doesn’t want to share their phone, tablet or laptop with the company?” In a related story, Los Angeles Times reports on employees’ constitutional rights.
Full Story

SURVEILLANCE—U.S.

Court Case Reveals FBI Stingray Details (April 10, 2013)

Details of how the FBI uses cellphone surveillance technology have been revealed in a court case involving a suspected identity theft ringleader, Wired reports. Court documents note that Verizon reprogrammed the suspect’s air card to respond to silent incoming calls from the FBI causing the device to disclose its location. The government did not dispute the claims during a March 28 hearing in a U.S. District Court in Arizona. Electronic Frontier Foundation Staff Attorney Hanni Fakhoury said, “It shows you just how crazy the technology is…This is more than just (saying to Verizon) give us some records…This is reconfiguring and changing the characteristics of the (suspect’s) property, without informing the judge what’s going on.”
Full Story

MOBILE PRIVACY

Studies Say Mobile Apps View Too Much Data (April 10, 2013)

France’s data protection authority, the CNIL, says mobile phone apps are accessing and processing an unnecessary amount of private data, PCWorld reports. The CNIL studied 189 apps on six smartphones. The aim was to analyze the nature of the apps, not to put blame on app developers, CNIL President Isabelle Falque-Pierrotin said. Meanwhile, security researchers at a Romanian-based firm are warning that mobile apps are becoming increasingly intrusive. Nearly 13 percent of apps disclose user phone numbers without the user’s consent.
Full Story

DATA PROTECTION

Exploring High-Level Talks and Risks for Privacy Officers (April 10, 2013)

In this recent IAPP Privacy Perspectives blog post, Profs. Dierdre Mulligan and Kenneth Bamberger discuss their research in which they interviewed hundreds of leading privacy officers, regulators and privacy pros. They explore “a caution raised by privacy officers in both the public and private sector regarding particular risks created by attempts to ensure that privacy is part of high-level deliberations within a corporation—risks that must be managed in developing policy.” Editor’s Note: Bamberger will be a speaker at the breakout session Debunking Myths of European and U.S. Privacy: New Data on Corporate Privacy Management at the IAPP Data Protection Intensive in London, UK.
Full Story

PRIVACY—EU

Europe Launches Controversial Crime-Fighting Database (April 9, 2013)
Deutsche Welle reports on the launch of Schengen Information System II (SIS II), after substantial delays. SIS II is a centralized database that aims to help security officials exchange information more quickly and efficiently within the Schengen zone, where people can move freely. “It’s important for member states to exchange data among one another more closely and join forces in fighting crime—as a counterbalance to the absence of border controls,” said a spokesman for Germany’s Federal Ministry of the Interior. But privacy authorities including Germany’s Federal Commissioner for Data Protection and Freedom of Information Peter Schaar have taken issue with the centralization of such data, and have called for uniform standards across Europe on how the data can be used and who has access.

ONLINE PRIVACY—UK

Could Right To Be Forgotten Have Helped Embattled Official? (April 9, 2013)

BBC News reports on recently unearthed and damaging tweets by the UK’s first Youth Police and Crime Commissioner, Paris Brown, from when she was aged between 14 and 16. The 17 year old has since deleted her Twitter page, but the article queries whether the European Commission’s proposed “right to be forgotten” could have helped Brown avoid such an incident. Brown said of her past tweets, “I don't think they should shape my future and my career and how I'm going to represent young people.” Yet, the report also states that the UK Ministry of Justice does not support this “right,” as it “raises unrealistic and unfair expectations.” Justice Secretary Chris Grayling added, “the ‘reasonable steps’ required by the draft regulation would promise much, but deliver little.” Editor’s Note: The IAPP blog post “Maybe We Need ‘A Right To Be Forgiven’” explores the implications of data erasure and online reputation.
Full Story

CONSUMER PRIVACY—U.S.

Will Retailers Have to Dial It Back in 2013? (April 9, 2013)

Several stories emerged last week about the pervasive nature of offline tracking of consumers by retailers. Sen. Al Franken (D-MN) noted he was still unsatisfied with Euclid Analytics and their privacy policies, Consumer Reports outlined how retailers “are taking spying to a new level,” and The New York Times explored the use of ZIP codes by retailers. In this IAPP Privacy Perspectives blog post, we explore what implications this trend may have for privacy professionals working for online and offline retailers.
Full Story

DATA LOSS—U.S.

A Roundup of Recent Breaches (April 9, 2013)

Following two recent breaches in Utah, one affecting 780,000 individuals, the state is taking steps to prevent future incidents, GovInfoSecurity reports. The health department is creating a data security office, and the governor recently signed a law that will see the implementation of security and privacy best practices there and in other government departments. In California, Kirkwood Community College officials say hackers accessed a database containing applicants’ names, Social Security numbers and other personal information. And the VA medical center has alerted 7,405 patients of a breach involving an unprotected laptop containing their personal information.
Full Story

BIOMETRICS—U.S.

EPIC Sues FBI Over NGI Database (April 9, 2013)

The Electronic Privacy Information Center (EPIC) has filed a Freedom of Information Act lawsuit against the Federal Bureau of Investigation (FBI) to get access to documents outlining the “Next Generation Identification” (NGI) database. According to an EPIC press release, the database contains biometric identifiers—including fingerprints, DNA profiles, iris scans, palm prints and voice identification profiles—of millions of American citizens. The complaint filed by EPIC stated, “When completed, the NGI system will be the largest biometric database in the world.” The FBI plans to use the database to match information with data gleaned from outlets such as CCTV.
Full Story

PRIVACY LAW—POLAND

New Cookie Rules Make Opt-Out OK with Proper Info (April 9, 2013)

According to SSW privacy lawyer Joanna Tomaszewska, changes to Poland’s telecoms laws mean a “very strict information duty” requiring website operators to inform consumers of cookie use and ways they can alter their cookie settings; however, if properly informed users do not change default settings, inaction will constitute “explicit consent.” The Office of Electronic Communications (OEC) has also been given the power to issue financial penalties of up to three percent of the previous year’s profits to companies that breach the rule, Out-law.com reports. While noting that “it is too early to know how the OEC will impose penalties,” Tomaszewska said it is "rather unlikely" the OEC will levy a fine amounting to three percent of annual profits.
Full Story

PRIVACY LAW—MEXICO

Mandatory Notice Guidelines To Go Into Effect (April 9, 2013)

Littler Mendelson’s Javiera Medina Reza outlines Mexico's new Privacy Notice Guidelines, which go into effect April 17. The mandatory guidelines bring requirements for data privacy notices and obtaining consent prior to collecting personal data in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties, enacted in 2010. The Federal Institute for Access to Information and Data Protection (IFAI) may impose sanctions for noncompliance, and Reza writes that a recent IFAI decision leading to a fine of more than $162,000 for a company’s failure to fix problems with its privacy notice underscores the importance of complying with the guidelines.
Full Story

PRIVACY LAW—HONG KONG

PCPD Condemns s for Deceitful Practices (April 9, 2013)

The Office of Privacy Commissioner for Personal Data (PCPD) has found that an insurance broker and a body-check service obtained personal information through deceitful means for direct marketing purposes, reports The Standard. After receiving complaints from consumers, the PCPD investigated the companies and found that Hong Kong Preventive Association Limited had collected personal data from about 360,000 people under false pretenses, which it then sold to Aegon Direct for direct marketing. Privacy Commissioner Allan Chiang Yam-wang said while he hoped Octopus’s contraventions would serve as a “wake-up call…in many recent investigation cases, including this one, it was found that the data users still fell short of meeting customer expectations and compliance with the requirements of the ordinance."
Full Story

DATA LOSS—AUSTRALIA

Company To Launch Data Breach Insurance (April 9, 2013)

Australian Financial Review reports insurer Beazley Group plans to roll out data breach insurance in Australia at the end of this year. “There is certainly growing interest in this sector,” said Beazley Chief Executive Andrew Horton, noting data breach notification laws could get tougher. He added that data breaches happen in forms other than cyber threats, including when data is simply lost when a business moves from one location to another. The company launched the product in the U.S. five years ago and in the UK earlier this year.
Full Story

BIG DATA—U.S.

The Potentials and Perils of Data Science (April 8, 2013)
The New York Times reports on Columbia University’s new Institute for Data Sciences and Engineering and the importance of educating a broader swath of society. Google Chief Information Officer Ben Fried expressed concern that “the technology is way ahead of society” and warned against only having an intellectual elite who understand the implications of Big Data—a situation that could cause “a runaway technology or a public rejection.” Fried added, “I think it is a mistake if conversations about this technology leave out the humanities.” Meanwhile, one consulting firm notes that Big Data could save U.S. citizens as much as $450 billion in healthcare costs. (Registration may be required to access this story.)

PRIVACY COMMUNITY

Foreign Service Worker Killed in Afghanistan (April 8, 2013)

We at the IAPP were deeply saddened to hear of the death of Foreign Service Officer Anne Smedinghoff, daughter of longtime IAPP member and Edwards Wildman Palmer Partner Tom Smedinghoff, in Afghanistan this weekend. Our thoughts are with the Smedinghoff family today, and we hope you will keep them in yours as well.
Full Story

ONLINE PRIVACY

Mozilla Readies Third-Party Cookie Blocker (April 8, 2013)

In a preview version of its Firefox 22 web browser, Mozilla has included an automatic third-party cookie blocker, putting the company “on a collision course with the online ad industry,” COMPUTERWORLD reports. Some trade groups say the new feature, called Aurora, is “dangerous and highly disturbing” and warn that users will experience more ads as a result. Stanford University graduate student Jonathan Mayer, creator of the code, tweeted, “The new Firefox cookie policy has migrated to Aurora!” Firefox 22 is expected to fully release in late June.
Full Story

CYBERSECURITY—U.S.

Revamped CISPA To Go to Committee Vote (April 8, 2013)

The House Intelligence Committee this week will discuss the Cyber Intelligence Sharing and Protection Act (CISPA), which would provide companies “lawsuit immunity in the case of data exchange,” ZDNet reports. Changes to the proposal haven’t been announced yet, but some say it will require stronger data anonymization and use restrictions in hopes of allaying the Obama administration’s privacy concerns—which lead to threats of a veto last year. “We need to get a little more specific in terms of what type of information we’re sharing and under what circumstances,” said George Washington University Homeland Security Policy Institute Director Frank Cilluffo. CISPA is slated for a committee vote April 10 in a closed session.Editor’s Note: Registration is now open for the IAPP web conference “Reporting on Cybersecurity Risk for Public Companies.”
Full Story

PRIVACY LAW—U.S.

Industry Pushes Back on State’s Right To Know Act (April 8, 2013)

The Wall Street Journal reports on industry backlash against California’s proposed “Right To Know Act.” If the bill passes, it would require companies to disclose their data-use practices to California consumers upon request. A coalition of businesses and trade groups—including the Internet Alliance, TechNet and TechAmerica—have written to the bill’s sponsor, Assemblywoman Bonnie Lowenthal (D-Long Beach), urging that she “not move forward” with the bill, citing its “costly and unrealistic mandates.” Nicole Ozer of the ACLU—which co-sponsored the bill—said there is “real impact for individuals when they don’t know how their information is being collected and when it is being shared in ways they don’t want.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opinion: Top Five Threats of 2013 (April 8, 2013)

PCWorld columnist Melissa Riofrio lays out the top five online privacy threats in 2013, including the proliferation of cookies, law enforcement’s seizure of cloud data, the ease of locating users by their smartphones, facial recognition software and looming government concerns about cybersecurity. “This year’s online threats to privacy will continue to grow unless Congress and other decision-making bodies offer some meaningful support for privacy,” Riofrio writes, adding, “it all boils down to a matter of openness versus secrecy.”
Full Story

DATA PROTECTION

Questions Linger on Data Ownership (April 8, 2013)

GigaOM reports on a recent discussion among experts on the topic of data collection and sharing. “What does it mean to own data?...Does it mean I can do with it whatever I want to do with it?” The question was posed by Andreas Weigend, a lecturer at Stanford University and formerly a chief scientist at Amazon.com. GigaOM’s Jordan Novet said the recent panel discussion in San Francisco elicited questions on whether companies should increase the amount of data they share and whether consumers care enough about their data to want to know what companies collect. Editor’s note: Andreas Weigend will be a keynote speaker at the IAPP’s Data Protection Intensive in London, April 23-25.
Full Story

ONLINE PRIVACY

Opinion: Privacy Can’t Be Forgotten for Customization’s Sake (April 8, 2013)

As consumers, we must take a close look at Google’s agenda to ensure it acts responsibly towards its users when it comes to privacy, opines Evgeny Morozov for Financial Times. Noting the launch of its latest product, Google Now, Morozov writes of the need for consumers to take control over what happens to their data. “If European history teaches us anything, it’s that some raw materials—and privacy is certainly among them—are worth cherishing and preserving in their own right, even if it means that the much-anticipated future will take somewhat more energy to construct.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Potentially Massive Class-Action Moves Forward (April 5, 2013)
A federal court has granted class-action status to a lawsuit claiming online tracking firm comScore secretly collected and sold Social Security numbers and credit card numbers as well as passwords and other personal data from consumer systems. The lawyer representing the two plaintiffs told COMPUTERWORLD this could be the largest privacy case to go to trial by way of class size and potential damages, the report states. ComScore says it captures approximately 1.5 trillion user interactions monthly—or nearly 40 percent of Internet page views.

ONLINE PRIVACY—U.S.

Google Tells FBI: Return To Sender (April 5, 2013)

Just a few weeks after U.S. District Judge Susan Illston created a bit of legal limbo around the U.S. federal government’s so-called National Security Letters (NSLs) by declaring them unconstitutional and putting her ruling on hold to allow for appeal, Google has stepped into the breach by refusing to comply with an FBI-issued NSL. According to a Bloomberg report, Google has challenged a demand by the FBI for private user information in what the Electronic Frontier Foundation believes is the first time a “major communications company” has decided not to comply with an NSL. Google outlines its policy toward NSLs here. The law allows judges to set aside requests by the FBI if they are “unreasonable, oppressive or otherwise unlawful.”
Full Story

DATA PROTECTION—EU & U.S.

Reding and Holder Discuss Privacy Protection (April 5, 2013)

EU Justice Commissioner Viviane Reding met with U.S. Attorney General Eric Holder to discuss a range of issues including data protection initiatives and other collaborative efforts between the European Commission (EC) and the U.S. Justice Department, NewEurope reports. Among more specific topics, the officials discussed online protections for children and ongoing data-sharing efforts. According to an EC press release, “Each noted recent progress made, and both sides were optimistic in reiterating their determination to finalize negotiations as rapidly as possible.” Meanwhile, the UK government is not backing efforts within the proposed EU data protection regulation to instill a “right to be forgotten,” The Guardian reports.
Full Story

ONLINE PRIVACY

Firefox Announces More DNT Options (April 5, 2013)

CNET’s Seth Rosenblatt reports on Firefox’s “more nuanced approach” to implementing its Do-Not-Track (DNT) setting and efforts to provide additional user choice. Firefox engineers describe the past practice of “on” or “off” DNT implementation in light of what they describe as the “three states of Do Not Track.” Firefox’s Tom Lowenthal explains, “DNT:0 means, 'I consent to being tracked.’ DNT:1 means, 'I object to being tracked.’…When DNT is off, it doesn't mean 'please track me.' It means that the user hasn't told the browser their choice yet." Rosenblatt notes, “What's not clear is how sites react to that.”
Full Story

HEALTHCARE PRIVACY—U.S.

Groups Develop Trust Framework (April 5, 2013)

The Texas-based Patient Privacy Rights Foundation, along with Microsoft and PricewaterhouseCoopers, has developed a “trust framework” for health IT systems, ModernHealthcare reports. The framework includes 75 criteria based on 15 privacy principles to enable “objective measurement of how well health IT, platforms, applications, electronic systems and research projects protect data privacy and ensure patient control over the collection, use and disclosure of their health data,” the Patient Privacy Rights Foundation noted. The principles include elements available under current state and federal laws, the report states, as well as provisions indicating individuals should “decide who can access information” and “how and if sensitive information is shared.” (Registration may be required to access this story.)
Full Story

BIOMETRICS

Baidu Can Do Wearable Facial Recognition, Too (April 5, 2013)

It’s been hard to miss reports of Google Glass, the headset computer that has led to privacy concerns surrounding facial recognition and otherwise. Reuters now reports that Chinese search giant Baidu has a similar wearable product in the pipeline, known internally as Baidu Eye. The device, which is still just a prototype, reportedly leverages the company’s strengths in image and facial recognition, allowing for voice searches, along with an ability to bounce images and faces off a central database for potential matches.
Full Story

PRIVACY LAW—U.S.

Rep To Propose CISPA Amendment; Franken To Reintroduce Bill (April 5, 2013)

The Hill reports Rep. Adam Schiff (D-CA) will propose an amendment to the Cyber Intelligence Sharing and Protection Act (CISPA) to address privacy advocates’ major concerns. Schiff’s amendment would require companies to strip any information “that can be used to identify a specific person unrelated to a cyber threat” before sharing the data with the government or other third parties, the report states. The bill is to be discussed in a closed-door meeting of the House Intelligence Committee next week. Meanwhile, Sen. Al Franken (D-MN) plans to reintroduce his Location Privacy Protection Act and recently admonished retail analytics firm Euclid for the opt-out nature of its data collection practices.
Full Story

MOBILE PRIVACY

Facebook Feature Maps User Moves (April 5, 2013)

Forbes reports on Facebook’s latest mobile release, a “digital skin that you will slide your phone into” which will turn the phone into a “slideshow version of the Facebook news feed.” The feature, called “Home,” means Facebook may be able to consistently collect users’ location information—an attractive situation for advertisers, the report states. GigaOM’s Om Malik noted the privacy issues involved, including that Facebook may be able to deduce a user’s home address by monitoring where the phone most often idles. Facebook says the feature will have the same privacy policy as the rest of the site.
Full Story

PRIVACY LAW—U.S.

Hannaford Breach Class-Action Decision (April 4, 2013)
U.S. District Court Judge Brock Hornby has denied a plaintiff’s motion to certify a class action seeking damages stemming from a data breach at Hannaford Bros., National Law Review reports. The March 20 decision by Hornby noted that proving damages “required highly individualized determinations that could not be tried through proof common to the class as a whole,” and the article states that the “Hannaford case illustrates how damages issues, even in cases articulating a viable common damages theory, can still frustrate class certification.” Though Hornby denied an argument that a voluntary refund program offered by the company “provides a defense against class certification, such programs still provide a way to mitigate class damages, reduce potential overall exposure and retain customer goodwill.”

SURVEILLANCE—U.S.

NYC Awareness System Raises Privacy Concerns (April 4, 2013)

New York City’s Domain Awareness System (DAS), which combines police know-how with computer algorithms, is reportedly making the city money and making it safer, but some worry it is also invading people’s personal privacy. The system combines more than 3,500 publicly placed cameras, license-plate readers “at every major Manhattan entry point,” radiation detectors and real-time 911 alerts with “a trove” of police data, The New York Times reports. The success of the DAS has generated interest from other municipalities, but others worry the invasion of privacy will be “much greater than anything we have seen so far.” In another surveillance story, the Office of Naval Research aims to use autonomous technology to patrol and map the ocean. (Registration may be required to access this story.)
Full Story

PRIVACY BIZ

Serwin Brings Privacy Team to MoFo (April 4, 2013)

Morrison & Foerster bolstered its privacy team significantly this week with the addition of Andrew Serwin, CIPP/US, CIPP/E, CIPP/G, Peter McLaughlin, CIPP/US, and Daniel Muto, CIPP/US, who’ve all made the jump from Foley & Lardner. The IAPP talks with Serwin about why he made the move and what he sees as growth markets for privacy.
Full Story

PRIVACY LAW—U.S.

Report: Law Poses Security Risks, Could Violate Privacy (April 4, 2013)

A report by the National Academy of Public Administration (NAPA) says a law requiring the personal financial information of 28,000 federal workers to be posted online poses a national security risk and could violate privacy, USA TODAY reports. The STOCK Act requires the data be available online by April 15 for public searching, sorting and downloading. NAPA concludes that transparency “does not necessarily equate to unrestricted accessibility when it comes to thousands of federal employees’ sensitive financial information,” and “considerations must be made for balancing transparency and privacy needs appropriately and in a way that does not expose federal employees to unnecessary risk.”
Full Story

DATA PROTECTION—U.S.

Hotel Data Security Issues on the Rise (April 4, 2013)

Chicago Tribune reports on data security issues within the hospitality industry and the alleged rise in identity thefts and malware attacks. One attorney specializing in hospitality law said, “Data security is becoming an issue of significant importance in the hospitality industry.” Hackers now attack hotel systems and data in third-party reservation systems not only for credit card data but for additional personal information, including address, license plate number and date of birth, all of which aid in identity theft, the report states.
Full Story

CONSUMER PRIVACY—U.S.

Right To Know Bill Draws Industry Push Back (April 4, 2013)

The California bill that would require the state’s retailers to disclose data collection and use to consumers has drawn varied reactions from advocates and businesses. CSO reports groups including the Electronic Frontier Foundation and the ACLU support the Right To Know Act of 2013 for the power it would grant consumers over their personal information. But the California Chamber of Commerce and TechAmerica, among others, say the bill is too broad in its definition of personal information and worry it would open the door to “frivolous lawsuits,” the report states.
Full Story

CONSUMER PRIVACY—U.S.

FTC Sends FCRA Warning Letters To Six Companies (April 4, 2013)

The Federal Trade Commission (FTC) has sent letters to six companies warning them to “double-check” their Fair Credit Reporting Act (FCRA) responsibilities. The selected companies specifically collect information about the rental histories of tenants and share the data with potential landlords, the FTC press release states. “If you assemble or evaluate information on individuals’ rental histories,” the release states, “and provide this information to landlords so that they can screen tenants, you are a consumer reporting agency that is required to comply” with FCRA.
Full Story

PERSONAL PRIVACY—U.S.

After Searches, Harvard Orders E-Mail Policy Review (April 4, 2013)

In the wake of a “secret search” of e-mail accounts belonging to 16 of the university’s deans, Harvard President Drew Faust has ordered a review of e-mail privacy policies, describing the inconsistency across the university "highly inadequate," COMPUTERWORLD reports. Calling the lack of e-mail privacy policies an "institutional failure," Faust plans to form a task force to develop recommendations on e-mail guidelines. Faust has also asked an independent attorney to investigate the e-mail searches “and to verify that the information provided so far is a full and accurate description of what actually happened,” the report states.
Full Story

CYBERSECURITY—U.S.

Advocates Want House To Debate CISPA Openly (April 4, 2013)

Privacy groups are calling on U.S. lawmakers to make significant changes to the Cyber Intelligence Sharing and Protection Act (CISPA). The 41 groups include the Center for Democracy and Technology, the ACLU and the Electronic Frontier Foundation, and they want the House Intelligence Committee to debate the bill publicly rather than behind closed doors. While Rep. Mike Rogers (R-MI) said recently that concerns with CISPA are due to bad PR, the ACLU says everyone, “from the privacy community to the president, agrees that CISPA is bad on privacy.” Meanwhile, a recent survey indicates data security concerns from American Chamber of Commerce members operating in China are on the rise.
Full Story

ONLINE PRIVACY

Euro Task Force Initiates Google Enforcement Measures (April 3, 2013)
A taskforce of data protection agencies has begun follow-up measures against Google, alleging the company failed to fix flaws in a new privacy policy, The Washington Post reports. The taskforce is led by France’s data protection authority, the CNIL, and includes authorities from the UK, Germany, Italy, Spain and The Netherlands. The CNIL says it has notified Google of the inspection’s initiation, which follows a March 19 meeting between the company and the regulators that ended in deadlock. “The authorities’ goal is not to fine Google,” said a CNIL spokeswoman. “The goal is for Google to be in line with what we demand.” Meanwhile, the company’s forthcoming “Google Glass” is raising privacy concerns in the U.S. (Registration may be required to access this story.)

EMPLOYEE PRIVACY—U.S.

Vast Tracking Database May Contravene FCRA (April 3, 2013)

The New York Times reports on databases created by retailers across the nation that track employees accused of workplace theft. Retailers tap into the databases in order to avoid applicants who have been accused of such crimes by previous employers. In many cases, the report states, employees “have no idea that they admitted to committing a theft or that the information will remain in databases.” Presently legal, the databases are being scrutinized by the Federal Trade Commission for potential violations of the Fair Credit Reporting Act. One lawyer familiar with the system said such a database is a “secret blacklist” and added, “The employees don’t know about it until they have already been hurt.” (Registration may be required to access this story.)
Full Story

CONSUMER PRIVACY—U.S.

Opinion: Brick-and-Mortars’ Surveillance Outdoes Online Tracking (April 3, 2013)

MediaPost’s Steven Smith points to a recent article in Consumer Reports on “How Stores Spy on You” as evidence that the uptick in surveillance at brick-and-mortar stores may mean consumers “forget altogether the relatively tame uses of data by the online advertising ecosystem.” Consumer Reports discusses the devices retailers are placing around store shelves and via digital signs to gage consumer preferences. Smith says such a report is “likely to take some of the heat off digital marketing” as those practices make anonymous cookies placed to track users online seem “trivial.”  Meanwhile, The New York Times reports on retailers’ requests for consumer ZIP codes during transactions and the uses of such data.
Full Story

PRIVACY LAW—U.S.

Supreme Court Asked To Hear NebuAd Case (April 3, 2013)

Two subscribers of Internet service provider (ISP) Embarq have asked the Supreme Court to determine whether the company violated existing privacy law when it partnered with NebuAd, MediaPost News reports. Embarq was one of six ISPs that used NebuAd’s behavioral targeting services in 2007 and 2008, but some consumers have claimed the partnership violated federal wiretap laws. In a petition to the Supreme Court, two former Embarq subscribers wrote, “The present case illustrates the significant harm to societal interests in communications privacy if an ISP is considered to be permitted, in the ordinary course of its business, to sell its customers’ private communications to the highest bidder.”
Full Story

DATA PROTECTION—UK

ICO Performance Report Is “Mixed Bag” (April 3, 2013)

A recent report by the Commons Justice Select Committee on the performance of the Information Commissioner’s Office (ICO) includes both supportive and troubling news for the agency, Mondaq reports. The committee backed the ICO’s intention to place NHS bodies and local authorities under compulsory audits. The article suggests the ICO’s view of the committee’s report was accurate when the ICO said, “the picture that emerges (of the ICO) is of a regulator that is delivering, that is relevant and that is efficient” but cautions the ICO also faces funding issues and is “running out of road and cannot absorb further cuts to the FOI budget without adversely affecting performance.”
Full Story

CONSUMER PRIVACY—U.S.

California Considers Mandatory Disclosure Bill (April 3, 2013)

California is considering requiring companies to disclose their data-use practices to California consumers upon request, Threatpost reports. If the Right to Know Act of 2013 passes, California would be the first state to require “any business that retains customer data to give a copy of that information, including who it has been shared with for the past year, upon request.” The Electronic Frontier Foundation supports the bill; a spokesperson said it brings California’s “outdated transparency law into the digital age.”
Full Story

DATA PROTECTION

Thinking Accountability? Here’s One Suggestion (April 3, 2013)

“Over the past 10 years, the components of an accountable privacy program have evolved through a combination of privacy professional best practices,” scholarship and regulatory action, writes Intel Global Privacy Officer David Hoffman, CIPP/US, in the latest IAPP Privacy Perspectives blog post. With a waning notice-and-consent model still in the marketplace, Hoffman suggests that consumer education is a major component toward the accountability model. “There is no better network poised to navigate privacy cultures and raise the collective consciousness of privacy than privacy professionals,” Hoffman writes, providing a number of suggestions for privacy pros.
Full Story

BEHAVIORAL TARGETING—U.S.

Franken: Company’s Opt-Out Tracking Unsatisfactory (April 2, 2013)
Sen. Al Franken (D-MN) has said that the opt-out policy used by Euclid Analytics is unsatisfactory because it requires consumers to go to the company’s website instead of asking consumers for permission, The Hill reports. Franken sent Euclid a letter last month looking for more information about its privacy practices and on Monday released the organization’s response . “I am pleased that privacy is a priority for Euclid,” Franken said, “but their continued use of opt-out technology underscores the need for Congressional action to protect consumer location privacy.” Euclid CEO Will Smith said the company does not collect personal information, only provides metrics to its retailer clients and does “not have any plans to sell, rent or disclose” its data to any third parties.

DATA RETENTION—SLOVENIA

Commissioner Challenges New Data Law as Unconstitutional (April 2, 2013)

Andrej Tomšič, deputy information commissioner for the Republic of Slovenia, writes for EDRi-gram that his boss, Commissioner Nataša Pirc Musar, challenged on March 19 the national implementation of the Act on Electronic Communications before the Constitutional Court. Musar believes the new data retention provisions, which were enacted January 15, “do not respect the principle of proportionality and that they have been transposed into the national law in contrast with the provisions of the Data Retention Directive 2006/24/EC.” This will broaden data retention to all criminal offenses and anything in the “interests of the state,” along with civil litigations and labor law disputes. Musar hopes to have enforcement of the act suspended and the new provisions declared unconstitutional, which could take as much as a year.
Full Story

ONLINE PRIVACY

Google Privacy Chief Stepping Down (April 2, 2013)

Google’s first director of privacy plans to retire, Forbes reports. Alma Witten, named director of privacy in 2010 following controversy over Google’s Street View and Buzz services, was tasked with overseeing product development at the company to prevent against future privacy mishaps. She led the privacy team that saw the merging of Google’s 70-plus privacy policies into one. Whitten will be replaced by Google engineer Lawrence You, who will now take over a privacy team consisting of several hundred individuals.
Full Story

DATA RETENTION—AUSTRALIA

Report: Law Would Put Small ISPs at Disadvantage (April 2, 2013)

The Australian reports on the impact of proposed data retention legislation on small Internet service providers (ISPs). While the comments had not been made public previously, the government was cautioned a year ago by a Department of Broadband Communications and the Digital Economy adviser that small ISPs “faced the heaviest financial burden under data retention laws being sought by law enforcement bodies,” the report states. The proposed legislation is the subject of an inquiry by the Joint Parliamentary Committee on Intelligence and Security. Law enforcement officials have said they are not attempting to extend their powers, but advocates caution the laws are “too intrusive on privacy of innocent civilians,” the report states. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—U.S.

FAA To Host Online Drone Privacy Session (April 2, 2013)

The Federal Aviation Administration (FAA) will host an “online public engagement session” on Wednesday to allow the public to express privacy concerns stemming from domestic use of drones, The Washington Times reports. The FAA is seeking specific comments on a privacy protocol that would be implemented at its six drone testing sites. Public comments “are not intended to predetermine the long-term policy and regulatory framework under which commercial (drones) would operate,” the FAA has said, adding, “Rather, they aim to assure maximum transparency of privacy policies.”
Full Story

PRIVACY

Insights from the Field: Women in Privacy (April 2, 2013)

In this exclusive for The Privacy Advisor, trailblazers including Sandra Hughes, Jennifer Barrett Glasgow, CIPP/US, and Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, discuss the proliferation of women in the field of privacy and their thoughts on reasons behind it. Glasgow opines, for example, that the profession requires skills more common in women than in men. Editor’s Note: For a closer look at the work of privacy professionals in the field today—both men and women—access the IAPP’s 2013 Privacy Professionals Role, Function and Salary Survey in the Resource Center.
Full Story

ONLINE PRIVACY

Why Consumer Privacy Decisions Aren’t Always Rational (April 1, 2013)
The New York Times profiles the work of Carnegie Mellon behavioral economist Alessandro Acquisti. Acquisti’s research “has shown that despite how much we say we value our privacy—and we do, again and again—we tend to act inconsistently,” the report states. Policy-makers, his research has proposed, should learn more about how consumers actually behave because, as consumers, “we don’t always act in our own best interest”—suggesting that user control can sometimes be an illusion. Samford University Prof. Woodrow Hartzog said, “His work has gone a long way in trying to help us figure out how irrational we are in privacy-related decisions,” adding, “We have too much confidence in our ability to make decisions.” (Registration may be required to access this story.)

STUDENT PRIVACY—U.S.

Fed Appeals Court Restricts Phone Searches (April 1, 2013)

The U.S. Court of Appeals for the Sixth Circuit has ruled that a school may not search a student’s phone, even if the student has a history of troubled behavior, The Wall Street Journal reports. G.C. v. Owensboro Public Schools also more specifically defined under what circumstances a student’s phone may be searched, and, according to the report, it is one of the “more significant rulings on student privacy rights.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

Fleischer: U.S. Must Better Explain Privacy Framework (April 1, 2013)

Google Global Privacy Counsel Peter Fleischer wrote of the need for a “better, simpler narrative” of U.S. privacy laws in a recent blog post, The New York Times reports. Comparing the U.S. system of patchwork privacy laws to Europe’s blanket data protection directive, Fleischer says the patchwork model “doesn’t lend itself to simple storytelling,” the report states. “Europe’s privacy narrative is simple and appealing,” wrote Fleischer, adding that if the U.S. wants consumers to trust U.S. companies operating abroad, it “has to figure out how to explain its privacy laws on a global stage.” (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

GSA Reports Breach; VA Holds BYOD Plans (April 1, 2013)

The U.S. General Services Administration recently alerted users of its System for Award Management that personal information was exposed due to a security vulnerability, CNET News reports. The notice said registrants using Social Security numbers as identifiers may be at greater risk for identity theft. Meanwhile, InformationWeek reports the Department of Veterans Affairs has put on hold plans to allow employees to use their own mobile devices for work purposes. The department said it must resolve legal issues on confiscation and investigation of such devices before moving forward.
Full Story

DATA LOSS—U.S.

Breach Roundup; Supreme Court Upholds Strict Harm Requirements (April 1, 2013)

Oregon Health and Science University has sent data breach notification letters to 4,022 patients following the theft of a surgeon’s unencrypted laptop, HealthITSecurity reports. The University of Mississippi Medical Center reports a password-protected laptop containing personal information on adult patients has gone missing, and Utah’s Granger Medical Clinic has notified patients of a potential breach after 2,600 medical appointment records scheduled to be shredded went missing. Meanwhile, Wilson Elser attorneys report on the recent Supreme Court ruling that upheld requirements for plaintiffs to prove harm that is “certainly impending” in order to have standing to sue in privacy cases.
Full Story