Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

MOBILE PRIVACY

Are Multiple Guidelines Helping or Hurting the Mobile Ecosystem? (June 28, 2013)
Never has the mobile app ecosystem been as popular and dynamic as it is now. Smartphones and the use of mobile apps are practically ubiquitous and are giving the economy a needed boost. With that boost, though, come very unique privacy concerns and challenges. And privacy regulators have taken notice. In this in-depth exclusive for The Privacy Advisor, we examine the standards, look to the future and provide a handy guide for wading through the murky mobile privacy waters.

MOBILE PRIVACY—U.S.

FCC Rules Carriers Must Protect Data (June 28, 2013)

The Federal Communications Commission (FCC) has ruled that telecoms need to safeguard consumer call information regardless of whether they’re using wireless or landlines, reports MediaPost. An FCC statement says, “When mobile carriers use their control of customers’ devices to collect information about customers’ use of the network...carriers are required to protect that information.” The ruling stems from an investigation into allegations that Carrier IQ was logging customers’ keystrokes. Commissioner Jessica Rosenworcel pointed out that the ruling applies only to carriers, adding, “They do not apply to the manufacturers of wireless phones. They do not apply to the developers of operating systems. Consumers can be confused by these distinctions.”
Full Story

PRIVACY LAW—CHINA

Making Sense of China’s New Privacy Laws (June 28, 2013)

In an apparent effort to encourage consumer engagement in the e-commerce market and establish baseline security standards, the Chinese government has in the past several months released a number of laws, regulations, and guidelines focused on privacy and security issues. In this exclusive Privacy Tracker post, the Hogan Lovells privacy team summarizes the notable takeaways from these initiatives.
Full Story

DATA LOSS

Facebook’s White Hat Program Helped Uncover Glitch (June 28, 2013)

Facebook this week announced that a glitch exposed the personal information of six million users. In an interview with The Privacy Advisor, the company discusses how its White Hat program, which invites external security researchers to report vulnerabilities, in some cases for a monetary “bug bounty,” helped discover the problem and why it felt the need to report the breach.
Full Story

PRIVACY LAW—U.S.

PCLOB Public Workshop To Be Held July 9 (June 28, 2013)

Following the Privacy and Civil Liberties Oversight Board (PCLOB) meeting with President Barack Obama last week, the PCLOB has set a public meeting for July 9 to discuss the National Security Agency (NSA) surveillance programs, Politico reports. The PCLOB “will conduct a public workshop with invited experts, academics and advocacy organizations regarding surveillance programs operated pursuant to Section 215 of the USA PATRIOT Act and Section 702 of Foreign Intelligence Surveillance Act,” according to the workshop notice. The meeting will be held in Washington, DC, but the specific location has not yet been announced.
Full Story

SURVEILLANCE—EU & U.S.

NSA Programs: Criminal? Necessary? Collecting EU Data? (June 28, 2013)

The Austrian student group Europe v. Facebook has filed complaints with several EU data protection authorities in light of news of the U.S. National Security Agency’s (NSA) surveillance programs. The group’s head told Ars Technica that the goal “is to see if it is legal for a European Union company to forward data to the National Security Agency in bulk...(and) to get more information, because they will have to disclose stuff in a preceding here. The U.S. gag orders are not valid here.” Meanwhile, the NSA chief is defending the program, saying it has helped uncover 54 terrorist plots, but an op-ed in The New York Times calls the programs “criminal” and chastises the administration for justifying them.
Full Story

PRIVACY—U.S.

Schneier Joins EFF Board; Suit Filed Over FBI Database (June 28, 2013)

The Electronic Frontier Foundation (EFF) has announced that security expert Bruce Schneier has joined its Board of Directors. The EFF said in a press release that Schneier’s expertise is especially important to the organization now as “we learn more and more about the unconstitutional surveillance programs from the National Security Agency (NSA) and the depth and breadth of data the NSA is collecting on the public." Meanwhile, the EFF has filed a lawsuit in California asking the judge to require the FBI to respond to its Freedom of Information Act requests about the agency’s forthcoming biometrics database.
Full Story

PRIVACY PROFESSION

An Open Letter to Privacy Professionals: We Need To Earn the Public’s Trust (June 27, 2013)
The recent news about the extent to which the U.S. government is monitoring the communications, online interactions and activities of citizens has Mozilla CPO Alex Fowler questioning the ethical responsibilities of privacy professionals. In this exclusive for Privacy Perspectives, he challenges his peers to ponder: “Do we have ethical obligations to the people whose data is our professional responsibility or only to our employers?” Read his reasoning and give your answer in the comments to move the discussion forward.

PRIVACY COMMUNITY

Former U.S. Rep. Bono Joins Leibowitz To Co-Chair New Privacy Coalition (June 27, 2013)

A group of the nation’s largest telecommunications companies have founded the 21st Century Privacy Coalition, Adweek reports. The coalition will be co-chaired by former Federal Trade Commission Chairman Jon Leibowitz and former U.S. Rep. Mary Bono. Founding members include AT&T, Comcast, CTIA-The Wireless Association, Directv, Time Warner Cable, Verizon and the U.S. Telecom Association. In an exclusive interview with the IAPP, Bono said the coalition has nothing to do with the recent NSA revelations and has in fact been in the works for some time, dating back to when she was still serving as chairwoman for the Subcommittee of Commerce, Manufacturing and Trade. “It was clear there was a need,” she said.
Full Story

DATA PROTECTION—IRELAND & U.S.

FTC, Ireland DPA Sign Enforcement Assistance Memorandum (June 27, 2013)

Federal Trade Commission (FTC) Chairwoman Edith Ramirez and Ireland Data Protection Commissioner Billy Hawkes have signed a memorandum of understanding (MOU) to “promote increased understanding and communication” between both agencies, an FTC press release states. Ramirez said the MOU “is a step forward for the FTC in cross-border privacy enforcement.” Hawkes said he “very much welcomes this important development, which I believe will have valuable assistance to my office…” In this exclusive for The Privacy Advisor, Hogan Lovells’ Christopher Wolf and Wilson Sonsini’s Christopher Kuner both provide insight into this development.
Full Story

BIG DATA—U.S.

Brill Calls for “Reclaim Your Name” Program (June 27, 2013)

Federal Trade Commissioner Julie Brill has called on Congress to legislate a “Reclaim Your Name” program, AdAge reports. Suggesting that Big Data brokers are “taking advantage of us without our permission,” the program Brill has called for would establish technical controls allowing users to access the information data controllers have stored about them, then control it and correct it, the report states. The program could work in tandem with the still-being-negotiated Do-Not-Track (DNT) mechanism, Brill said, adding that she urges “the W3C stakeholders to forge ahead and reach consensus” on DNT. The Direct Marketing Association expressed surprise at Brill’s announcement, noting it has been in talks with her recently on increasing transparency.
Full Story

PRIVACY BY DESIGN

How UI and UX Can KO Privacy (June 27, 2013)

At Navigate 2013, Will Dayable, co-director at Squareweave, and Jason Hong, associate professor at the Human Computer Interaction Institute at Carnegie Mellon, provoked the nearly 300 attendees into thinking about how UX (User Experience) and UI (User Interface) affect the way people experience and understand privacy. Is your privacy policy written and displayed with respect for your users?
Full Story

SURVEILLANCE—U.S.

Another NSA Revelation: Stellar Wind (June 27, 2013)

The Guardian continues to publish news of secret, warrantless surveillance programs undertaken by the NSA. Today, the paper has news of an operation called Stellar Wind, which ran from 2001 through 2011, collecting “the accounts to which Americans sent e-mails and from which they received e-mails. It also details the Internet protocol addresses used by people inside the United States when sending e-mails--information which can reflect their physical location. It did not include the content of e-mails.” All “communications with at least one communicant outside the United States or for which no communicant was known to be a citizen of the United States" were fair game, approved by the FISA court every 90 days for a decade.
Full Story

DATA PROTECTION

If Nine Of 10 Employees Breach Policies, How Is Privacy Possible? (June 27, 2013)

A survey taken over several years has found that out of 165,000 employees surveyed, 93 percent knowingly violate policies designed to prevent data breaches. Privacy professionals burn the midnight oil crafting policies in line with best practices. But such policies don't stand a chance at protecting consumer data if the employees charged with practicing model data-steward behavior could care less about doing so. So how can a company ensure that its people are complying with the policies it promises to practice? This exclusive for The Privacy Advisor discusses a few experts’ experiences with success.
Full Story

TELEMATICS—UK

Biz Launches Data-Driven Car Insurance for Youth (June 27, 2013)

UK-based Tesco Bank has launched a new car insurance service that tracks and analyzes driver behavior to determine policy rates, Information Age reports. Called Box Insurance, the company places technology in a customer’s vehicle and uses telematics data from the car, which is then sent to the insurer’s data center for analysis. The Association of British Insurers recently posted an advisory note warning that companies must be transparent about their data use, stating, “Consumers need to trust insurers to treat them fairly and protect their personal information.” Tesco has said it will “keep all your data, including driving data, safe and confidential,” adding that it won’t “share driving data with the police or other bodies without a court order or your consent, unless we suspect fraud.”
Full Story

PRIVACY POLICIES

Using Virtual Assistants To Guide Privacy Settings (June 27, 2013)

To help navigate convoluted and complex privacy settings on commonly used websites, CNET News columnist Dan Farber proposes that virtual assistants, such as Siri and Google Now, can be effective tools to give users more control of their settings. Virtual assistant apps could also help educate users on how their data is being collected, processed and shared. “Instead of reading pages of text,” Farber suggests, “users could query a virtual assistant, which could walk them through their privacy settings.” As virtual assistants “gain more popularity, managing privacy and protecting your online persona will be more of a continuous, background process handled by an intelligent agent rather than a sometimes impenetrable chore.”
Full Story

PRIVACY LAW—U.S.

Is Markey the Most Influential Privacy Legislator in U.S. History? (June 26, 2013)

In light of news that Rep. Ed Markey (D-MA) won yesterday’s Massachusetts special election for the U.S. Senate, Peter Swire, CIPP/US, writes about why Markey “is quite possibly the most influential member of the House of Representatives in the history of privacy legislation.” In this installment of Privacy Perspectives, Swire, who once served under President Bill Clinton, notes how Markey “has been involved in countless privacy issues” since being elected to the House in 1976 and details Markey’s major contributions to U.S. privacy legislation, including HIPAA and the Gramm-Leach-Bliley Act.
Full Story

CHILDREN’S PRIVACY—U.S.

Video Game Industry Releases Guidelines for Mobile, COPPA (June 26, 2013)

The group that manages privacy self-regulation for the video game industry, the Entertainment Software Rating Board (ESRB), has increased its program to include mobile apps and the upcoming changes to the Children’s Online Privacy Protection Act (COPPA), AdWeek reports. With COPPA changes to go into effect July 1, the group focused on ways of obtaining parental consent, creating short-form privacy notices for apps and dealing with the expanded definition of personal data to include photos and videos, the report states. Dona Fraser, vice president of the ESRB Privacy Certified program, said “achieving compliance with requirements like COPPA can be complicated, particularly for rapidly evolving platforms like mobile.” The ESRB is also in the process of issuing certifications to its members and awaits Safe Harbor status from the Federal Trade Commission.
Full Story

PRIVACY LAW—U.S.

TX Passes Breach Law; NV Social Media Law (June 26, 2013)

Privacy Tracker reports that while Texas already has a breach notification law on the books that applies to residents of states without a notification law, it recently passed Senate Bill 1610, which increases the scope further. It also gives organizations the choice of reporting under Texas law or that of the state of the affected person, but Gant Redmon, writing for CO3 Systems Blog, says “best practice will remain notifying under the law of the state where the affected party resides.” Meanwhile, Nevada has become the 11th state to pass a social media law prohibiting employers from asking for access information to employees’ or prospective employees’ social media accounts.
Full Story

ONLINE PRIVACY—U.S.

IAB Sounds Off on Cookie Clearinghouse (June 26, 2013)

Mozilla’s involvement with The Center for Internet and Society at Stanford Law School in an effort to improve Internet privacy is a “Kangaroo cookie court” according to the Interactive Advertising Bureau (IAB). The IAB disapproves of the ongoing project called the “Cookie Clearinghouse,” a control system that allows users to maintain a “block” and “allow” list when it comes to cookies. But the IAB says the system “replaces the principle of consumer choice with a ‘Mozilla knows best’ system.” Mozilla said it hopes the IAB and other industry groups will get involved in the project to better the user experience, CNET News reports.
Full Story

MOBILE PRIVACY

Health Group Releases mHealth Study; Privacy in HTML5 Era (June 26, 2013)

A new study by a mobile health advocacy group states there is not a “one-size-fits-all” resolution for mobile privacy legislation, Thomson Reuters reports. The mHealth Alliance report, Patient Privacy in a Mobile World: A Framework To Address Privacy Law Issues in Mobile Health, also has provided a mobile privacy toolkit for using mobile health technology. The evolving nature of mobile technology “makes it difficult, and some may say ill-advised, to create rigid legal rules that may not fit future mHeath applications or worse that may hamper their development in the first place,” the study states. Meanwhile, CIO reports on how to ensure privacy in the age of HTML5.
Full Story

BIG DATA—U.S.

Acxiom Access Feature Delayed But Imminent (June 26, 2013)

Forbes reports on data broker Acxiom’s attempt to provide consumers with access to their personal data. With information on nearly one billion online users and pressure from the Federal Trade Commission for data brokers to be more transparent, the company has been working on providing consumer access but has run into some obstacles. Outgoing Acxiom Chief Strategy and Marketing Officer Tim Suther said the process has been “enormously difficult” since all the “systems that have been built up over the years have been built up with an eye for serving marketers” and there are security and consumer authentication challenges. Suther said the company does not plan to charge consumers for accessing their dossiers, but with constant data updates, a complete file “is like an anomaly,” he said, adding, “The initial release will have a pretty healthy amount of information, and we intend to iterate based on top of that.”
Full Story

STUDENT PRIVACY—U.S.

Plans for Data-Sharing Steeped in Privacy Concerns (June 26, 2013)

The Washington Post reports on plans in Virginia to implement a data system aimed at improving student preparation for college and workforce. The talks have been steeped in privacy concerns surrounding student data, which school officials well understand based on recent news on the National Security Agency’s surveillance methods.“This is not the greatest time in government to be talking about the cool data we collect,” said a spokesman for the Virginia Education Department. “It’s right for parents to be concerned about privacy. We share that concern.” The system would allow agencies to share data to track student progress, helping officials to create policies around the most successful routes. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

Advocates Dislike NSA Restructuring Plan (June 26, 2013)

Privacy advocates are skeptical of potential plans to have telecommunications companies, rather than the National Security Agency (NSA), retain consumers’ phone records, The Hill reports. Rep. Adam Schiff (D-CA) last week asked NSA Director Gen. Keith Alexander to look into restructuring the surveillance program. But privacy groups say such restructuring could mean data retention mandates, which could creates risks. Greg Nojeim of the Center for Democracy and Technology said, “One of those risks is that the data, once retained for national security purposes, would almost certainly be made available for law enforcement and other purposes.”
Full Story

MOBILE PRIVACY

Balancing the Benefits and Risks of BYOD (June 26, 2013)

InfoWorld examines the bring-your-own-device (BYOD) trend and “the question of how to balance the benefits of a self-provisioned workforce against the risks of company assets walking out the door when workers are let go.” One chief technology officer cautions, “Mobile data is a big problem, so it's time to start compartmentalizing risks. This way, you can find a balance between the benefits of a (BYOD) workforce and the risks.” The report highlights steps organizations and their IT departments can take to protect vulnerable data in the event of employee layoffs or other departures. Tips include having a written BYOD policy, keeping data off local devices and doing sweeps regularly.
Full Story

PERSONAL PRIVACY—U.S.

Opinion: Privacy Must Be Preserved in Big Data Campaigning (June 26, 2013)

In an opinion piece for The Hill, columnist David Hill discusses Big Data’s role in campaign polling. The methods “threaten to trample on privacy and confidentiality,” Hill says, wondering from where the lists of potentially persuadable voters originate and what is done with their answers after phone polling occurs. “Confidentiality must be preserved to sustain the broad-based cooperation of the public,” Hill opines, noting that if trust in such anonymous polling is broken, respondents will stop participating. “Pollsters must not succumb to Big Data’s entreaties to sell out our principles,” he says.
Full Story

PRIVACY LAW—EU

Search Engine Not Controller, EU Court Rules (June 25, 2013)
The EU’s top court ruled on Tuesday that Internet search engines cannot be considered “the controller” of personal data hosted on other websites, Bloomberg reports. EU Court of Justice Advocate General Niilo Jaeaeskinen said in a nonbinding opinion, “A national data protection authority cannot require an Internet search engine service provider to withdraw information from its index.” The case, C-131/12, stems from approximately 200 orders from Spain’s Data Protection Authority for Google to remove personal data from indexed websites. A spokesman for Google said, “This is a good opinion for free expression…We’re glad to see it supports our long-held view that requiring search engines to suppress ‘legitimate and legal information’ would amount to censorship.” Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, said, “A search engine is just a tool…The nature of that information is irrelevant. It’s just ones and zeros.”

HEALTHCARE PRIVACY

For Sale: Ingestible Computers To Monitor Your Health (June 25, 2013)

The New York Times reports on a new wave of prescription pills—ones that can e-mail your doctor after being swallowed. Ingestible computers in pill-form can now monitor health data and share it wirelessly with doctors. The pills stay intact throughout the intestinal tract and are powered through stomach acids. John Perry Barlow of the Electronic Frontier Foundation says such a pill has wonderful and terrible aspects. “The wonderful is that there are a great number of things you want to know about yourself on a continual basis…The terrible is that health insurance companies could know about the inner workings of your body.” (Registration may be required to access this story.)
Full Story

PRIVACY COMMUNITY

Bellamy To Become CIPL President Upon Abrams Retirement (June 25, 2013)

The Centre for Information Policy Leadership (CIPL) at Hunton & Williams LLP has announced that Bojana Bellamy, CIPP/E, global director of data privacy for Accenture and former IAPP chair, will join Hunton & Williams as CIPL’s president, effective September 2. Current Centre President Martin Abrams, who is retiring on September 1, will remain on as an advisor to the CIPL. Lisa Sotto, CIPP/US, comments on Bellamy’s leadership and Abrams’ work during the past 13 years.
Full Story

SURVEILLANCE—U.S.

Sens. Say NSA Inaccurate on Protections (June 25, 2013)

Two senators on the intelligence committee have accused the National Security Agency (NSA) of publicly presenting inaccurate statements about the privacy protections on its surveillance of millions of Internet communications, The Guardian reports. However, Sens. Ron Wyden (D-OR) and Mark Udall (D-CO) say they cannot identify the inaccuracies within a factsheet without exposing classified information. In a letter written to NSA Director Gen. Keith Alexander, the senators wrote they were “disappointed to see that this factsheet contains an inaccurate statement about how the section 702 authority has been interpreted by the U.S. government…this inaccuracy is significant, as it portrays protections for Americans’ privacy as being significantly stronger than they actually are.” Editor's note: Last Thursday, Future of Privacy Founder/Co-Chair and Hogan Lovells Privacy Practice Leader Christopher Wolf led an engaging discussion with a roundtable of privacy experts on the implications of the NSA leaks for privacy professionals. You can access the free recording, worth 1 IAPP CPE credit, here.
Full Story

PRIVACY LAW—U.S.

Bill Proposed To Strengthen Oversight of FISA, USA PATRIOT Act (June 25, 2013)

Yesterday, Sen. Patrick Leahy (D-VT), with the co-sponsorship of Sens. Lee (R-UT), Udall (D-CO), Wyden (D-OR), Blumenthal (D-NY) and Tester (D-MT), proposed the FISA Accountability and Privacy Protection Act of 2013 to “strengthen privacy protections, accountability and oversight related to domestic surveillance conducted pursuant to the USA PATRIOT Act and the Foreign Intelligence Surveillance Act of 1978.” Privacy Tracker reports on the proposed changes, including allowing challenges to gag orders in court, expanding public reporting of national security letters and requiring a comprehensive review of the FISA Amendments Act by the inspector general of the intelligence community. (IAPP member login required.)
Full Story

DATA LOSS—U.S.

We’ve Been Breached. Now What? (June 25, 2013)

Forbes reports on what organizations can do if they are the unlucky victims of a high-profile data breach. “At a minimum,” the article states, “start providing credit monitoring for victims to reduce litigation risk.” That’s according to researchers at Carnegie Mellon University and Temple University who found a six-fold reduction of being sued in federal court for those who provide credit monitoring. The paper, “Empirical Analysis of Data Breach Litigation,” also found a 10-fold increase in litigation if the incident was a cyberattack rather than lost or improperly disclosed data. Meanwhile, the personal data of 47,000 Florida teachers was exposed during a data transfer at Florida State University. The personal information was available online for approximately 14 days, according to the state’s Department of Education.
Full Story

DATA PROTECTION—EU

EC Releases Technical Measures for eDirective (June 25, 2013)

The European Commission has issued new breach notification standards for EU telecommunications and Internet service providers, PC World reports. The new “technical implementing measures” detail practical rules for implementing the ePrivacy Directive. The new measures will ensure that users in EU nations receive the same notification if their data is compromised from a breach. A public consultation initiated in 2011 found that EU nations were implementing the directive in vastly different ways, including the handling of notification deadlines. As a result, one measure mandates that providers notify data protection authorities of a breach within 24 hours of detection. Companies that encrypt personal data will be exempt from notifying users if the data is compromised.
Full Story

PRIVACY LAW—U.S.

Pandora Maintains It Didn’t Violate Video Privacy Law (June 25, 2013)

Pandora is asking the Ninth Circuit Court of Appeals to uphold a decision by a U.S. District Court that the company did not violate a Michigan privacy law by allegedly sharing web users’ music-listening history with their Facebook friends, MediaPost News reports. U.S. District Court Judge Saundra Brown Armstrong dismissed a potential class-action lawsuit that Pandora violated Michigan’s Video Rental Privacy Act by participating in Facebook’s “instant personalization” program. Armstrong ruled the act doesn’t apply when companies “stream” tracks, as opposed to lending, renting or selling them, the report states. The suit’s plaintiff wants his claim revived, but Pandora says Armstrong was correct in her ruling.
Full Story

SURVEILLANCE—U.S.

Privacy Board To Host Workshop on Surveillance (June 24, 2013)
The Privacy and Civil Liberties Oversight Board (PCLOB) had its first-ever meeting with President Barack Obama last Friday. In comments provided to the IAPP, PCLOB Chairman David Medine said the board “informed the president” that it “is undertaking a review of the recently revealed surveillance programs as a top priority.” The board will also host a public workshop on the programs and plans to release its recommendations.

DATA LOSS

Facebook Announces Breach, Notifies Users (June 24, 2013)

Facebook last week announced a programming bug that exposed six million users’ e-mail addresses and telephone numbers, the company reported in a security note issued Friday. The glitch seems to be due to the site’s “download your information” tool, which the company says was immediately disabled upon detection of the problem. Regulators in the U.S., Canada and Europe were notified, as were affected users. “We currently have no evidence that this bug has been exploited maliciously, and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook said.
Full Story

PRIVACY—U.S.

Wong Named White House’s Deputy CTO (June 24, 2013)

The Obama administration has announced its hire of Nicole Wong, who most recently worked for Twitter, as the White House’s deputy U.S. chief technology officer, The Recorder reports. Wong has also served as vice president and deputy general counsel of Google. “She has tremendous expertise in these domains and an unrivaled reputation for fairness, and we look forward to having her on our team,” said Rick Weiss, director of strategic communications at the Office of Science and Technology Policy.
Full Story

PRIVACY LAW—U.S.

Daily Fare: Anti-Surveillance Legislation (June 24, 2013)

This Privacy Tracker weekly roundup explores some of the federal privacy legislation proposed recently. TechNewsDaily suggests that, as part of the fallout from the National Security Agency (NSA) leak, there has been a “surge in proposed privacy legislation concerning devices and their growing monitoring capabilities.” In addition to the Texas e-mail law and action in Maine to restrict drone use, federal lawmakers are working toward vehicle and TV consumer privacy bills, and others are working to restrict government collection of data. Whether due to the NSA revelations or not, anti-surveillance does seem to be the latest trend in privacy law.
Full Story

DATA RETENTION—AUSTRALIA

Gov’t Won’t Pursue Retention Law (June 24, 2013)

Following a parliamentary report that analyzed telecommunications interception in Australia, the federal government has temporarily decided not to pursue a mandatory data retention regime, Computerworld Australia reports. The Parliamentary Joint Committee on Intelligence and Security submitted 43 recommendations around a retention regime. “Accordingly,” said Attorney-General Mark Dreyfus, “the government will not pursue a mandatory data retention regime at this time and will await further advice from the departments and relevant agencies and comprehensive consultation.”
Full Story

PRIVACY LAW—ITALY

Garante Concerned About Gov’t Measures (June 24, 2013)

The president of Italy’s Data Protection Authority, the Garante, has voiced concerns about the Italian government’s recent measures aimed at simplifying the country’s data protection code. In this exclusive for The Privacy Advisor, Rocco Panetta details Garante President Antonello Soro’s concerns that the government measures are “in breach of the EU Directive, Lisbon Treaty and Italian laws as well.”
Full Story

STUDENT PRIVACY—U.S.

Schools Lean Toward Online Learning Networks, But Some Lack Controls (June 24, 2013)

The New York Times reports on concerns from privacy advocates and parents over the increasing trend by school districts to adopt learning-management systems, which they say may not have mastered data protection and privacy controls. Parent Tony Porterfield recently found out that his sons’ Los Altos, CA, school district had adopted an online learning network that did not use a standard encryption protocol, for example, making it possible for outsiders to gain access to students’ contact information. While COPPA requires online services to take reasonable measures to protect kids’ privacy, it does not require such encryption protocols. In addition, many school districts distribute only general notices about using such systems. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Will Cookies Give Way to Fingerprints? (June 21, 2013)
While a WC3 draft for Do-Not-Track may finally be moving forward, it may not matter much in the end, as online advertisers are increasingly moving away from cookies, which can be blocked or removed, and toward “fingerprinting,” a technology that allows companies to identify individuals by the profile of the device on which they surf the web. “But the marketers using fingerprinting technology are often reluctant to talk about their efforts, lest they alarm the public,” Forbes reports.

MEDICAL PRIVACY—U.S.

FDA Issues Guidance on Medical Device Cybersecurity (June 21, 2013)

Here’s something a bit unnerving: Life-saving and life-enhancing medical devices—pacemakers, patient monitors and imaging scanners, for example—are vulnerable to hackers and malicious intrusions. Those vulnerabilities can, of course, have catastrophic impacts on patients who rely on those devices, but even patient fear of these vulnerabilities can have adverse repercussions. Patients may simply avoid updating or servicing their devices. This exclusive post for Privacy Tracker by Salazar Jackson’s Luis Salazar looks at the FDA’s guidance and what device manufacturers need to consider.
Full Story

DATA PROTECTION—U.S.

Federal Baseline Breach Notification Bill Introduced (June 21, 2013)

Sen. Pat Toomey (R-PA) introduced legislation Thursday to mandate a nationwide standard for data breach notification. Sponsored by Sens. Angus King (I-ME) and John Thune (R-SD), the bill would preempt the current slate of 46 state breach notification laws and provide “better protections and swifter responses for consumers,” according to a Toomey press release. With a combination of high-profile data breaches and varying state mandates, “Congress needs to provide businesses and consumers with certainty and establish a single reasonable standard for information security and breach notification practices,” the press release states.
Full Story

SURVEILLANCE—U.S.

Obama To Meet With Privacy Board (June 21, 2013)

President Barack Obama plans to meet with the Privacy and Civil Liberties Oversight Board (PCLOB) on Friday in response to the NSA surveillance program leaks, The Washington Post reports. Obama has said the PCLOB will play a key role in fostering a public debate about the programs. The president has also tapped James Clapper, the director of national intelligence, to possibly declassify more Foreign Intelligence Surveillance Court opinions. (Registration may be required to access this story.)
Full Story

BIG DATA—U.S.

The Use of Predictive Policing, Campaigning (June 21, 2013)

The New York Times’ Somini Sengupta reports on new predictive policing programs being used in Seattle, WA. Using a combination of Google Maps, license-plate readers and computer algorithms, police are able to crunch data to predict where crimes are most likely to occur. Some worry about privacy and civil liberties issues. Meanwhile, Big Data analytics is also being used to better understand and reach out to potential political supporters. Calling it the “new electioneering,” the Times reports on one company that mines online data—particularly social media—and publicly available information to “quantify and measure voter emotion and opinion online.” (Registration may be required to access this story.) Editor’s Note: Somini Sengupta will be a featured moderator at today’s Navigate event in Portsmouth, NH.
Full Story

EMPLOYEE PRIVACY—CANADA

Supreme Court Says No To Random Alcohol Testing (June 21, 2013)

The Supreme Court late last week ruled that companies cannot institute mandatory random alcohol testing of employees, Canada Newswire reports. “Random alcohol testing is a humiliating invasion of an individual’s privacy that has no proven impact on workplace safety,” said Dave Coles, president of the Communications, Energy and Paper Workers Union of Canada. Communications, Energy and Paperworkers Union of Canada, Local 30 vs. Irving Pulp & Paper, Limited stems from a 2006 policy by Irving that chose an employee randomly by a computer program. The employee showed a zero blood alcohol level but claimed the test was humiliating and unfair.
Full Story

PRIVACY LAW—EU

Delay Prompts More Regulation Questions (June 21, 2013)

Writing for Field Fisher Waterhouse’s Privacy and Information Law Blog, Eduardo Ustaran, CIPP/E, questions the implications of the European Parliament’s recently announced delay in the vote on the proposed EU Data Protection Regulation. “That means that we will now not know where the Parliament truly stands on this issue until September or October at the earliest,” he writes. Ustaran highlights what could happen if the new regulation is not adopted before next year’s deadline, including inconsistent legal regimes across the EU, non-application of EU laws to global organizations, “death by paperwork” and “toothless regulators.” Meanwhile, in a feature for EurActiv, Digital Europe’s John Higgins calls for one law to cover EU governments and private-sector entities.
Full Story

SURVEILLANCE—INDIA

CCTV Not Covered in Draft Law (June 21, 2013)

Those whose images are captured via CCTV in public places “will not be able to invoke the proposed privacy law to seek redress,” The Indian Express reports. That is one provision of the draft privacy bill “likely to be tabled in Parliament's forthcoming session,” the report states, noting the bill does include the creation of a national body to hold individuals, organizations and others accountable for audio and video recording. The bill “addresses the home ministry's concern that interception laws must not change and that footage from security cameras in public places are kept out of the ambit of the new law," officials said.
Full Story

PRIVACY LAW—FRANCE

CNIL Orders Compliance or Fines (June 20, 2013)
The French Data Protection Authority (CNIL) has ordered Google to bring its privacy protections in line with French data protection law within three months or face fines, The Wall Street Journal reports. The authority wants the company to comply with six requirements, including rules on data retention. A Google spokesman said the company’s privacy policy “respects European law” and noted the company has cooperated with the authority during the inquiry, which has lasted a year. (Registration may be required to access this story.)

PERSONAL PRIVACY—U.S.

Can We Adapt to Drones and the Internet of Things? (June 20, 2013)

With rapidly developing technology, particularly with the impending use of domestic unmanned aerial vehicles and the Internet of Things, Mercatus Center Senior Research Fellow Adam Thierer makes the case for allowing market forces and social norms to be the guiding principles for allowing these technologies to flourish. In this second point-counterpoint Privacy Perspectives installment, Thierer writes, “these technologies give rise to what we might consider the ‘perfect storm’ of safety, security and privacy concerns.”
Full Story

PRIVACY—EU & U.S.

Expert: NSA Revelations a Game Changer (June 20, 2013)

From connections between the National Security Agency (NSA) and various leaders at start-ups in Silicon Valley to questions of whether the NSA leaks will prompt an EU data protection rewrite, reports on the continued implications of the recent revelations abound. This exclusive for The Privacy Advisor highlights the key headlines, including a recent report from The New York Times on the connection between a former Facebook CSO and the NSA, a Reuters report on Wednesday’s cloud security summit and Sir Martin Sorrell’s comments in The Guardian that the NSA revelations are a “game changer.”
Full Story

SURVEILLANCE—EU & U.S.

Is PII Better Shielded in Europe than the U.S.? (June 20, 2013)

With a slew of criticism of U.S. government intelligence gathering programs, Hogan Lovell’s Christopher Wolf asks, “is personal data better shielded in Europe from the prying eyes of national security investigations than it is in the United States?” Though it’s a common assumption, Wolf notes that it “may not be the correct assumption.” In this Privacy Perspectives post, Wolf looks at government initiatives in France, Germany and the UK to help flesh out this complex and pressing issue.
Full Story

PRIVACY LAW—U.S.

Plaintiff Awarded $325K in SCA Case (June 20, 2013)

The trial of a 2011 case filed by radiologist David Cheng against his former colleague, Laura Romo, alleging she violated the Stored Communications Act (SCA) and Massachusetts privacy law has ended with a jury awarding Cheng $325,000 in damages, Mondaq reports. “After the U.S District Court of Massachusetts denied (Romo’s) motion for summary judgment on both counts, the case went to trial and the verdict came down at the end of April,” the report states, noting “This case is significant in that courts have struggled to interpret the language of the SCA, yet the jury very clearly decided in favor” of Cheng as the plaintiff.
Full Story

ONLINE PRIVACY—EU & U.S.

EU Laws, Hacking Fears Boon for Insurers (June 20, 2013)

Reuters reports that between concerns about “the risks of hacking raids on corporate data” combined with the EU’s efforts to create laws that promise “heftier fines on unprepared companies,” cyber-insurance promises to be “a lucrative business line alongside risks such as weather catastrophes may be about to bear fruit.” The report notes how cyber coverage has grown as a market in the U.S. to the tune of $1 billion-plus in annual premiums. With EU lawmakers proposing bigger fines for breaches, one expert cautions the new rules "should keep CEOs awake at night...It should now be quite clear that data protection due diligence should be a boardroom issue, not a backroom issue."
Full Story

CHILDREN’S PRIVACY—U.S.

COPPA’s Coming Down Soon, Are You Ready? (June 20, 2013)

As the revised COPPA rule will come into effect July 1, Famigo Vice President Matt McDonnell writes for Venture Beat on the 10 questions developers should ask themselves as the date approaches. Such questions include looking at whether their apps collect information, and, if so, what kind, as well as whether that data is actually necessary to the business function. McDonnell also suggests evaluating how to communicate privacy policies to consumers and getting a second opinion on whether you’re on the right side of the law.
Full Story

SURVEILLANCE

FBI Confirms Drone Use, Says It’s Limited (June 20, 2013)

FBI Director Robert Mueller testified to the U.S. Senate Wednesday that the Federal Bureau of Investigation (FBI) sometimes uses drones for surveillance efforts, Bloomberg reports. “It’s very seldom used and generally used in a particular incident when you need the capability,” Mueller said. “It’s very narrowly focused on particularized cases and particularized needs.” The testimony follows concerns by lawmakers and civil liberties advocates as revelations emerge on the government’s interception of U.S. citizens’ communications via its PRISM program. But the debate on drones has been ongoing. Mueller said the FBI is beginning to formulate privacy guidelines on the technology.
Full Story

ONLINE PRIVACY

W3C Moves Forward on June Draft; Group Launches Privacy Controls (June 20, 2013)

ZDNet reports on two developments in the Do-Not-Track initiative. First, those participating in a World Wide Web Consortium conference call agreed to accept a draft of the standard in an effort to work toward “Last Call,” when the proposal is brought for a vote. The draft is being dubbed the June Draft. Also, Mozilla has teamed up with Stanford’s Center for Internet Society to announce it is launching its own set of privacy controls on the web. Called a “Cookie Clearinghouse,” it will allow users to create and maintain “allow lists” and “block lists,” the report states.
Full Story

ONLINE PRIVACY

Officials Want Answers on Google Glass (June 19, 2013)
Privacy officials from six countries have written to Google CEO Larry Page requesting more information about Google’s wearable computer technology, Google Glass. Privacy commissioners in Canada, Australia, New Zealand, Mexico, Switzerland and Israel want to know how the information collected by the technology may be used, CNET News reports. “We would be very interested in hearing about the privacy implications of this new product and the steps you are taking to ensure that, as you move forward with Google Glass, individuals’ privacy rights are respected around the world,” the officials wrote.

SURVEILLANCE—U.S.

Privacy in a World of Persistent Surveillance (June 19, 2013)

Recent leaks of the National Security Agency’s surveillance programs have put privacy front-and-center. “As we consider the ramifications of these revelations,” writes the Center for Democracy & Technology’s Justin Brookman, “keep in mind that the NSA is not collecting that information itself from its clandestine headquarters in suburban Maryland—it’s demanding that data from companies who have collected the data while delivering services to their users.” In this first installment of our Privacy Perspectives Point-Counterpoint dialogue, Brookman looks ahead to the privacy implications brought on by domestic use of drones and the eventual rise of the Internet of Things. Editor’s Note: Tomorrow, Mercatus Center Senior Research Fellow Adam Thierer will provide a counter analysis of these cutting-edge issues.
Full Story

SURVEILLANCE—U.S.

Google Asks FISA Court To Publish Data (June 19, 2013)

Following last week’s open letter to the directors of the FBI and national intelligence, Google has filed a motion to the Foreign Intelligence Surveillance Court (FISC) for permission to publish data on national security requests, The New York Times reports. In the motion, the company contends it has First Amendment rights to publish request totals and the number of users affected. In a personal blog post, Google Global Privacy Counsel Peter Fleischer writes, “In Europe it’s become a parlour game to debate and decry U.S. government surveillance programs,” but “there’s far less debate or transparency about European government surveillance programs.” A Governing article explores whether the PRISM leaks will affect state and local open-data projects. The leaks also raise questions about the role of chief privacy officers when law enforcement approaches an organization with a FISA order, NSL or other secret requests. A free teleconference hosted by the IAPP will explore the issues. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Texas Passes E-mail Privacy Law (June 19, 2013)

Privacy Tracker reports on Gov. Rick Perry’s signing of what has been called the toughest e-mail privacy bill in the country into law, meaning state law enforcement will need to get a warrant in order to search e-mail—no matter how old it is. The bill unanimously passed both houses of the state legislature before reaching Perry’s desk, Courthouse News reports. HB 2268 surpasses the privacy protections under the federal Electronic Communications Privacy Act, which the Senate Judiciary Committee recently voted to amend. (IAPP member login required.)
Full Story

DATA PROTECTION

Average Breach Detection Takes 10 Hours (June 19, 2013)

The average organization believes it would spot a data breach within 10 hours, according to a recent McAfee Global Survey. The survey polled 500 decision-makers from the U.S., UK, Germany and Australia earlier this year. Twenty-two percent said they could identify a breach within a day, while just more than one-third said it would take them only minutes, PC Advisor reports. “This study has shown what we’ve long suspected—that far too few organizations have real-time access to the simple question, ‘Am I being breached?’” said a McAfee spokesman. Meanwhile, Australia’s new breach notification laws could require companies to “dumb down” their monitoring capabilities, reports The Sydney Morning Herald.
Full Story

SURVEILLANCE—U.S.

Drones Are Easy To Acquire, Lack Regulation (June 19, 2013)

Congress has mandated the Federal Aviation Administration to open the skies to drones by 2015, and the drones’ cheap, light nature means everyone from real estate firms to oil and gas companies could potentially use them for their own purposes. But there are thus far no federal rules on privacy issues, and that’s leading a lot of U.S. states to ask how private drone use should be regulated. So far, laws have been enacted in Florida, Montana, Tennessee, Virginia and Texas—with bills pending elsewhere—which create law enforcement oversight. Other states have passed bills allowing drone-surveillance regulation by both public and private parties, The Washington Post reports. (Registration may be required to access this story.)
Full Story

DATA LOSS—MEXICO

Study Highlights Data Breach Concerns (June 19, 2013)

A Unisys study has found that 82 percent of Mexicans are “very concerned” about data breaches, BNamericas reports. The study showed that of the survey’s 1,052 respondents, most are concerned about breaches at banks and financial institutions followed by those at healthcare organizations, government agencies and telcos and Internet service providers. “Anxiety related to data breaches in Mexico seems pervasive and continues to persist despite efforts by governments and commercial organizations to secure consumers' financial data,” the report states. However, the survey also found low reporting for cybercrime.
Full Story

STUDENT PRIVACY—U.S.

Database Prompts Call for Monitoring (June 19, 2013)

Louisiana’s Board of Elementary and Secondary Education is appointing a task force to monitor data-sharing in the wake of the Department of Education’s partnership with inBloom, a database created to track student progress, The Times-Picayune reports. Citing parent and student concerns about the potential for others to access private student data, the report quotes Education Superintendent John White’s comments that the department data will not be sold to outside companies and will be secured behind firewalls. “We're not suggesting this is a perfect process,” he said. "But we hope we can get to a point where the public understands and trusts that this is being done the right way."
Full Story

PRIVACY COMMUNITY—U.S.

IPSI Is Privacy “Boot Camp To Beat All Boot Camps” (June 19, 2013)

Corporate Counsel reports on the IAPP and Maine Law Center for Law and Innovation Information Privacy Summer Institute (IPSI) as a source for timely lessons for law departments and “an entrée to the field for lawyers in training” amidst current privacy headlines. The report notes that “companies are dealing with novel issues such as data storage and analysis by cloud-service providers, the increasing use of social media by corporations to engage with consumers and even the concept of analyzing a customer’s movements in brick-and-mortar stores,” quoting IPSI faculty member and IAPP Vice President of Research and Education Omer Tene’s recommendation to consider privacy from the start and focus on “Privacy by Design, rather than privacy by disaster—after the fact.” Editor’s Note: This year’s Summer Institute will culminate with Navigate in Portsmouth, NH, this Friday.
Full Story

CONSUMER PRIVACY—U.S.

Ramirez Taps Privacy Expert To Head Bureau of Consumer Protection (June 18, 2013)
The FTC yesterday announced Chairwoman Edith Ramirez’s appointment of seven senior staff members, including Jessica Rich, a privacy expert who will now serve as director of the Bureau of Consumer Protection. In this exclusive for The Privacy Advisor, Rich says that privacy is an area in which the FTC believes consumer protection is very important, and that, in line with Chairwoman Edith Remirez’s emphasis that the agency plans to be aggressive on privacy, the commission will use the tools in its belt to “the fullest extent possible” to protect consumers, including Section 5 of the FTC Act, the Fair Credit Reporting Act and COPPA.

SURVEILLANCE—EU & U.S.

After PRISM, EU Trust in U.S. Questioned (June 18, 2013)

Several EU officials have called for more trust and transparency between the EU and U.S. With both regions set to commence trade talks, the role of data protection of EU citizens is being called into question. European Data Protection Supervisor Peter Hustinx said, “If the EU wants to cooperate with other countries, including the U.S.A., on cybersecurity, it must necessarily be on the basis of mutual trust and respect for fundamental rights, a foundation which currently appears compromised.” Digital Agenda Commissioner Neelie Kroes also said the U.S. needs to be “more transparent with Europeans about what has been going on.” In an op-ed for The New York Times, EU Justice Commissioner Viviane Reding wrote that the NSA’s PRISM program puts Europeans “at a severe disadvantage compared with U.S. citizens,” adding, “EU citizens are not even given a chance to use American courts to attain any kind of remedy or recourse.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—FRANCE & U.S.

Court Case Takes On Privacy and Hate Speech (June 18, 2013)

A recent court case in France has brought out the difficult issue of balancing online privacy with the prevention of hate speech. “While online services can—and sometimes should—require posters to use their real names to discourage hate speech,” write Hogan Lovells’ Christopher Wolf and Winston Maxwell, “the U.S. government cannot require the use of real names to fight legally allowed—even if repugnant—hate speech online because of First Amendment protections for ugly free expression that anonymity promotes.” In this Privacy Perspectives post, Wolf and Maxwell analyze this dilemma through the lens of an ongoing French court case requiring Twitter to reveal users who allegedly posted anti-Semitic tweets.
Full Story

SURVEILLANCE—U.S.

Gov’t Requested Data Revealed; Confusion Prevails (June 18, 2013)

The New York Times reports on the disclosure this week by several U.S.-based tech firms on law enforcement data requests. Several companies had asked the government to allow for more transparency with their customers. In turn, the government allowed the companies to reveal the total number of requests—but that includes state and local requests. How many of the requests are terrorist-related is unknown. The Electronic Privacy Information Center’s Amie Stepanovich said, “We still don’t know what is allowed and how these programs are being implemented.” With mounting public pressure on the companies to announce something, Prof. Adonis Hoffman noted, “They’ve got to say to the consuming public that we care about your data; we’re going to do everything we can to preserve your data, and absent a national security contingency, no one gets access to your data.” Editor’s Note: The IAPP will be hosting, as a complimentary teleconference, The Implications of the NSA Leaks for Privacy Professionals on Thursday, June 20. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—CANADA & U.S.

OCR Announces Prime Resolution Details (June 18, 2013)

The Office for Civil Rights (OCR) has posted the $275,000 data breach resolution agreement with Prime Healthcare and the findings from its investigation, HealthIT Security reports. The OCR found Prime’s Shasta Regional Medical Center “failed to safeguard patients’ protected health information (PHI) from impermissible disclosure by intentionally leaking PHI to multiple media outlets on at least three separate occasions without a valid written authorization,” the report states. The report also details the specific areas in which the OCR found Prime Healthcare to be negligent.
Full Story

BIOMETRICS—U.S.

Police Photo Databases Spur Concerns (June 18, 2013)

The Washington Post reports that databases created to combat driver’s license fraud containing photos of 120 million people “increasingly are used by police to identify suspects, accomplices and even innocent bystanders in a wide range of criminal investigations.” And that is spurring concerns about the use of facial-recognition technology and the creation of “what amounts to a national identification system—based on the distinct geography of each human face,” the report states. “Where is government going to go with that years from now?” said Brett Geymann, a Louisiana state representative. “Here your driver’s license essentially becomes a national ID card.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—AUSTRALIA

Commissioner: Data Collection Could Be Criminals’ “Honey Pot” (June 18, 2013)

Amidst an increase in complaints to his office, Privacy Commissioner Timothy Pilgrim is warning that personal data collected by corporations “is a honey pot calling to criminals,” The Sydney Morning Herald reports. Last year’s complaints were a “10 percent increase on the previous year, and the figures year to date look like we are heading towards another 10 percent increase on last year,” Pilgrim said, adding, “We have already passed the 1,357 mark at the end of May, and I would think we were looking at 1,500-plus this year.” Pilgrim cautioned organizations to “only collect the type of information that is absolutely essential to provide the service.”
Full Story

PRIVACY TECHNOLOGY

Will the NSA Leaks Be a Boon for Privacy Technology? (June 17, 2013)
With growing consumer awareness about online and phone tracking in light of the National Security Agency surveillance program leaks, could producers of consumer-facing privacy-enhancing technologies see an uptick in downloads and purchases of their products? This Privacy Perspectives blog post looks into some early reaction from companies such as DuckDuckGo as well as calls for more privacy software and better consumer awareness of privacy-enhancing technology and what the government can collect.

SURVEILLANCE—U.S.

Gov’t Says Firms Can Open Up; Obama Defends NSA Programs (June 17, 2013)

The U.S. government has said that U.S. tech firms may publish government requests for user data but can only do so when combined with state and local government requests. In our continuing coverage of the National Security Administration surveillance program leaks, we look at responses from Google, Apple, Facebook and Microsoft as well as reactions from President Barack Obama, who has defended the programs, Sen. Mark Udall (D-CO), who plans to introduce legislation that would curb some government data collection and how one lawsuit could break new legal ground. Editor's Note: Somini Sengupta, of The New York Times, will be a moderator at this week's Navigate event in Portsmouth, NH.
Full Story

ONLINE PRIVACY—EU

European Institutions Tracking Users Despite Law (June 17, 2013)

EurActiv reports European institutions are tracking website users in breach of EU data protection rules. European Data Protection Supervisor Peter Hustinx said institutions are aware and guidelines are being drawn up to deal with the problem. The admission of the problem came after recent reports of the U.S. National Security Agency’s (NSA) Prism scheme. Meanwhile, The New York Times reports on differing European reactions to news of the NSA surveillance program.
Full Story

PRIVACY LAW—U.S.

Weekly Privacy Tracker Legislative Roundup (June 17, 2013)

With NSA news dominating privacy discussion in the mainstream media, it may be that a number of legislative developments flew under the radar this week. Make sure to read through this week’s Tracker updates on Rhode Island efforts to loosen patient confidentiality, California efforts to ban “revenge porn,” Oregon bills that would bar law enforcement from using drones without a warrant and limit the use of RFID technology and analysis of whether an ACLU lawsuit could force the Supreme Court to reevaluate privacy law interpretations.
Full Story

ONLINE PRIVACY—U.S.

Will DNT Panel Achieve Its Goal or Disband? (June 17, 2013)

The group tasked “with creating a set of industry standards for online privacy” may be “ready to call it quits,” San Francisco Chronicle reports. Since its initial meeting in 2011, there has been “scant progress on a definition of Do Not Track at the World Wide Web Consortium working group, and there may be precious little time left,” the report states. With a “Last Call” document due next month, the report quotes some panel members as saying if that goal cannot be met, “it's time to call it quits.” As Stanford’s Jonathan Mayer put it, “There must come a time when we agree to disagree. If we cannot reach consensus by next month, I believe we will have arrived at that time.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

LinkedIn Seeks Second Dismissal of Class-Action Suit (June 17, 2013)

U.S. District Court Judge Edward Davila is for the second time this year considering a class-action suit brought by Virginia resident Khalilah Wright against LinkedIn, according to MediaPost News, alleging the company duped premium subscribers by implying there would be extra security for those paying more and that they would not be exposed to the kind of breach that resulted in 6.4 million users having their passwords posted online. Wright’s first suit was dismissed in March, as Davila ruled she failed to show a connection between her extra dues and the implied extra security. Wright is back now with an expert who’s conducted a survey showing subscribers expect extra security for extra membership fees.
Full Story

DATA SECURITY—U.S.

Veterans Affairs Taken To Task Over 2010 Breach (June 17, 2013)

House Committee on Veterans Affairs (VA) Chairman Jeff Miller (R-FL) and Ranking Member Michael Michaud (D-ME) sent a letter last week to VA Secretary Eric Shinseki demanding answers to a number of questions raised during a recent committee meeting regarding hacking by foreign nationals of the VA computer network in 2010. Will the VA be offering credit protection services to every veteran and dependent in its database? Why are there discrepancies in how the breach is being described at differing times? Why was Congress apparently not notified of these security compromises? “The fact is that we don't know what they took but I believe (the VA) had a responsibility to the men and women who served this country to notify them at the point that they knew they were hacked,” Rep. Mike Coffman (R-CO) told Federal News Radio.
Full Story

PRIVACY LAW—FRANCE

Archivists Lobby Against Right To Be Forgotten (June 17, 2013)

A group of French archivists is lobbying to keep personal data flourishing online in the face of the EU data protection draft’s “right to be forgotten” provision. Jean-Phillipe Legois, president of the Association of French Archivists says, “Today, e-mail, Facebook, Twitter, this is the correspondence of the 21st century. If we want to understand the society of today in the future, we have to keep certain traces.” The archivists have introduced a petition to present to the European Parliament. The petition has thus far received almost 50,000 signatures. Meanwhile, the French government has rejected the latest version of the draft regulation. Editor’s Note: A recent Privacy Perspectives blog post by archivist Cherri-Ann Beckles asksWill the Right To Be Forgotten Lead to a Society That Was Forgotten?
Full Story

GENETIC PRIVACY

DNA Samples May Be More Identifiable Than Thought (June 17, 2013)

The New York Times reports that while research subjects are often told that the DNA sample they’ve provided for the sake of science is not identifiable and their anonymity will be preserved, “geneticists nationwide have gotten a few rude awakenings, hints that research subjects could sometimes be identified by their DNA alone or even by the way their cells were using their DNA.” Such revelations are particularly concerning following the announcement that nearly 80 researchers want to combine the world’s DNA databases to make it easier for researchers to retrieve and share such data. Meanwhile, local law enforcement agencies across the U.S. have begun amassing their own DNA databases. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—FRANCE & U.S.

Court Orders Twitter To Disclose Names (June 14, 2013)
San Francisco Chronicle reports on a French case that “threatens to undermine” Twitter's record of keeping user identities private and raises questions about how non-U.S. rulings against U.S. companies will be enforced. The report references a French court’s ruling this week ordering “Twitter to disclose the names of users who tweeted anti-Semitic remarks,” noting the court determined “Twitter was ultimately responsible for the content on its website.” The report questions the enforceability of the law, noting “Twitter says it tries to comply with all local country laws” but “has made it clear it will default to American laws,” while the French ruling states that “adhering to French law is not optional.”

SURVEILLANCE—U.S.

FISA Puts Tech Biz Between Rock and Hard Place; More Spy Revelations To Come? (June 14, 2013)

The New York Times reports on a 2008 Foreign Intelligence Surveillance Act (FISA) court ruling requesting that Yahoo turn over user data on certain foreign suspects. Yahoo, at first, refused to turn over the data because there was not a warrant and the broad request was unconstitutional. However, the FISA court judge disagreed. In our continuing coverage of the NSA programs and their effect on privacy, one lawmaker warns this is the “tip of the iceberg” while other experts discuss various implications—from Big Data concerns to consumer perceptions of online tracking by private industry.
Full Story

SURVEILLANCE

Around the Globe, PRISM Revelations May Affect Privacy, Anti-Terror Policy (June 14, 2013)

As we begin to see the backside of the initial reporting on the NSA’s PRISM activities and the gathering of phone data from Verizon and other carriers, more voices are sounding their opinions on how this will affect, and already has affected, global privacy policy. The Privacy Advisor provides a roundup of the latest opinion around the globe.
Full Story

PRIVACY LAW—U.S.

PCLOB To Meet on NSA Revelations Wednesday (June 14, 2013)

As noted in the Federal Register, the Privacy and Civil Liberties Board will meet officially for the first time to “discuss classified information pertaining to the PRISM-related activities and the Foreign Intelligence Surveillance Act.” According to a Politico report, PCLOB has already been briefed by the NSA on its activities, but it’s not clear whether that included the entire board or just a portion. This meeting will also notably be the first one headed by newly appointed chair David Medine.
Full Story

SURVEILLANCE—U.S.

Opinion: Five Myths of Privacy (June 14, 2013)

Dan Solove writes an op-ed for The Washington Post dispelling myths surrounding the privacy-security balance in light of recent news of the NSA’s broad surveillance programs. “’Metadata’ about phone calls can be quite revealing,” Solove writes. “A detailed phone record can present a telling portrait of the person associated with a telephone number.” Another point he makes is “secrecy at the level of an individual suspect is different from keeping the very existence of massive surveillance programs secret. The public must know about the general outlines of surveillance activities in order to evaluate whether the government is achieving the appropriate balance between privacy and security.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Largest Privacy Class-Action Suit Ever? (June 13, 2013)
Digital analytics firm comScore is the target of what could be the largest privacy class-action lawsuit ever, potentially amassing tens of millions of plaintiffs, reports AdWeek. Tuesday, a Chicago appellate court denied comScore’s request to overturn a lower court ruling on allegations the company’s software violates the Stored Communications Act, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act and the Illinois Consumer Fraud and Deceptive Practices Act, the report states. ComScore says it will fight the allegations and that the case is filled with inaccuracies, noting, it has had little opportunity to “educate the court” on its practices. The plaintiffs are seeking injunctive relief and damages of $1,000 per violation.

SURVEILLANCE—EU & U.S.

NSA Leaks Increase EU-U.S. Tensions; Google Reveals Some Gov’t Sharing Details (June 13, 2013)

The recent leaks of the National Security Agency’s surveillance programs are increasing tension between the U.S. and EU. Financial Times reports that the Obama administration lobbied in 2012 to have certain measures removed from the proposed EU data protection regulation that would have “limited the ability of U.S. intelligence agencies to spy on EU citizens.” The Privacy Advisor’s continuing coverage of the recent leaks also looks at recent revelations by Google of how it shares user data when it receives national security requests, and more.
Full Story

SURVEILLANCE—U.S.

Sen. Asks PCLOB To Investigate NSA Programs (June 13, 2013)

At a Senate Appropriations Committee hearing  on Wednesday, Sen. Tom Udall (D-NM) said he has sent a letter, with bipartisan support, to the Privacy and Civil Liberties Oversight Board (PCLOB) asking it to “make it a priority” to investigate the National Security Agency’s (NSA) dragnet phone surveillance and PRISM programs to determine whether they were “conducted within the statutory authority granted by Congress” and “take the necessary precautions to protect the privacy civil liberties of American citizens under the Constitution.” He also asks NSA General Keith Alexander if the NSA will work with the PCLOB. The Privacy Advisor, in this exclusive, reports on the investigation and the NSA head’s defense of its programs.
Full Story

HEALTHCARE PRIVACY—U.S.

HHS Publishes HIPAA Administrative Simplification Provisions (June 13, 2013)

The Department of Health and Human Services (HHS) has published an integrated version of the HIPAA Administrative Simplification Regulations, including sections on identifier standards, privacy rule, security rule, enforcement rule and breach notification rule, among others. Wiley Rein Partner Kirk Nahra, CIPP/US, told the Daily Dashboard this gives people “one place to put all these developments together. It’s not a ‘substantive’ development, but it makes figuring out what needs to be done and how the rules all fit together a bit easier.” Nahra noted the information will assist covered entities and business associates moving toward the September 23 deadline for compliance with the final omnibus rule. Editor's Note: For more tools and research about HIPAA, check out Close-Up: HIPAA in the IAPP Resource Center.
Full Story

PRIVACY IN POPULAR CULTURE

IAPP Members in the News (June 13, 2013)

If nothing else, the news that has been rippling around the globe about the U.S. government’s surveillance practices has brought privacy to the forefront of public discourse. Therefore, it shouldn’t be surprising that our IAPP members are showing up all over the media in recent days. The Privacy Advisor takes you on a quick tour of IAPPers in the mass media.
Full Story

PRIVACY LAW—EU & U.S.

“Deeply Entrenched Interests” Threaten TTIP (June 13, 2013)

The New York Times reports on efforts to create the Transatlantic Trade and Investment Partnership (TTIP) and concerns about U.S. and EU differences on key issues, including data protection. Officials have indicated they hope to reach an agreement by November 2014. However, Douglas J. Elliott of the Brookings Institution is quoted as suggesting there will be “maybe a one-in-three chance TTIP will happen.” While the potential deal is considered important from a trade perspective, the report states, data-sharing and privacy concerns remain, especially in light of the recent NSA headlines. Hogan Lovells Partner Christopher Wolf told the Daily Dashboard, “Once the dust settles over this current flap, I think that on both sides of the Atlantic there will be a recognition that the issue of national security and law enforcement access is an important one, but is a political one…not entirely germane to the central issue of encouraging commerce and innovation and the need for cross-border data flows. In addition, as we pointed out in our recent whitepaper on national security access to data in the cloud, the judicial approval and legislative oversight required under FISA provide more procedural protections than many countries in the EU.” (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

EPIC Issues Guidance to HHS for Mental Health Data (June 13, 2013)

The Electronic Privacy Information Center (EPIC) has issued recommendations to the Department of Health and Human Services (HHS) about what it should do regarding releasing mental health data to the National Instant Criminal Background Check System, HealthIT Security reports. The recommendations put more onus on states to protect mental health data, stating “HHS should not amend the HIPAA Privacy Rule until the Department of Justice revises its Gun Control Act regulations” to define the standards prohibiting individuals from “shipping, transporting, receiving or possessing firearms.”
Full Story

PRIVACY LAW—JAPAN

Japan Applies To Take Part in CBPR (June 13, 2013)

Japan’s Ministry of Economy, Trade and Industry has announced the government’s June 7 application to participate in APEC’s Cross-Border Privacy Rules. “Japan applied for participation in the system, following the United States and Mexico,” the announcement states, noting, “In the future, if Japan is admitted to the system and the neutral certification organization is authorized, enterprises and other entities certified by this organization will be able to prove that the handling process of private information in their companies is compatible with the APEC Information Privacy Principles.” The division in charge of the application is the Office of International Affairs, Information Policy Division, Commerce and Information Policy Bureau.
Full Story

BIG DATA—U.S.

GAO Investigating Data Brokers (June 12, 2013)
Sen. Jay Rockefeller (D-WV) has commissioned a study of data resellers by the Government Accountability Office (GAO) to be completed in late summer, reports AdAge. GAO Managing Director of Public Affairs Chuck Young says the organization is looking into “laws and regulations regarding the privacy of consumer information held by information resellers and what gaps, if any, exist in this legal framework” as well as key proposed options to improve consumer privacy. The Senate Commerce Committee and the Federal Trade Commission also have ongoing investigations of data brokerage firms.

SURVEILLANCE

NSA: Tech Firms, Lawmakers Respond (June 12, 2013)

As the recent NSA disclosures ripple their way through the privacy community, our continuing coverage today looks at reactions from major U.S. tech companies, including the StopWatching.Us effort, and several U.S. lawmakers as well as the inevitable rise of lawsuits being filed and potentially fraying relations between the U.S. and EU over past and future data-sharing agreements.
Full Story

DATA PROTECTION

PRISM’S Impact on Global Data Flows (June 12, 2013)

The revelations of the National Security Agency’s surveillance programs have brought privacy issues into the mainstream, but the disclosures could also have a direct impact on privacy pros working with international data flows. In this Privacy Perspectives post, Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, analyzes how the PRISM revelations could impact global data transfers, Safe Harbor, binding corporate rules and the need for engendering fluidity over barriers with such transfers.
Full Story

PRIVACY IN POPULAR CULTURE

This NSA PRISM Story Isn’t Funny … Except When It Is (June 12, 2013)

This NSA PRISM and online surveillance story is enormously important. It has opened up a new nationwide, perhaps global, discussion on personal privacy and the tradeoffs people are willing to make between privacy and security. It may lead to new law, new cultural norms, new technology. However, it has already led to some excellent material for some very funny people. We at The Privacy Advisor would be seriously remiss if we didn’t sift through it a bit.
Full Story

DATA LOSS

Breach Stats and Implications: A Roundup (June 12, 2013)

From loss of patient data to the potential impact of the recent NSA/PRISM revelations on psychiatric patients to how the legislation affects data breach costs, breaches and their implications are making headlines across the globe. This roundup for The Privacy Advisor highlights some of the latest news, including BankInfoSecurity’s report on Symantec’s Cost of a Data Breach Study, conducted by the Ponemon Institute, which indicates the average cost of a data breach has gone up from $130 per record in 2011 to $136 per record.
Full Story

HEALTHCARE PRIVACY—CANADA & U.S.

Hospital Chain To Settle Suit for $275K (June 12, 2013)

Canadian hospital chain Prime Healthcare has agreed to settle for $275,000 a U.S. federal investigation into alleged privacy violations. Los Angeles Times reports that Prime’s Shasta Regional Medical Center was accused of violating patient confidentiality by sharing a patient's medical records with journalists and e-mailing her treatment details to almost 800 hospital employees. While the company agreed to the settlement, it admitted no wrongdoing and claims it “would have prevailed in this matter based upon the merits.” California regulators fined Prime $95,000 for this breach last year, but the company says it plans to appeal that fine.
Full Story

SURVEILLANCE

NSA Implications for Gov’t, Ad Industry, Consumers (June 11, 2013)
In our continuing coverage of the fallout from the recent leak of the National Security Agency’s surveillance programs, a slew of implications—from effect on trade negotiations to developments with the proposed EU data protection regulation to calls for baseline privacy legislation in the U.S. to the possible effects on the online ad industry—are continuing to emerge this week. We bring the palette of issues together in this report for The Privacy Advisor.

BIOMETRICS

Google Outlaws Facial Recognition, Voiceprints for Google Glass (June 11, 2013)

Google has decided to ban facial-recognition technology from its Google Glass product, following pressure from the U.S. Congress. It has also banned voiceprints, which would allow the microphone to identify a speaker. App developers—including Lance Nanek, who built an app that would allow clinicians wearing the glasses to verify patient identities and pull their medical records without having to turn to a secondary device—are disappointed in the decision. The company says it will not allow such applications until “strong privacy protections” are in place, but the Future of Privacy Forum wonders “what sort of privacy protections can actually be put in place for this sort of technology?”
Full Story

PRIVACY LAW—U.S.

$6M AOL Class-Action Approved (June 11, 2013)

Mondaq reports a federal judge has given “final approval to a class-action settlement between AOL and a class of more than 650,000 AOL members whose search queries were disclosed to the public” in a case that “has become almost folklore in the privacy world.” The case stems from a 2006 incident where AOL employees released search query data from members for research purposes. “Although the members had been supposedly anonymized, some of them were re-identified based solely on the patterns in their searches,” the report states. The settlement includes $5 million payments to class members as well as almost $1 million in legal fees.
Full Story

MOBILE PRIVACY—U.S.

The Tension Between Innovation and App Privacy Regulation (June 11, 2013)

“Today’s discussions about application privacy revolve around smartphones and tablets,” writes Promontory Associate Partner Kenesa Ahmad, CIPP/US, for this installment of Privacy Perspectives. With a rapidly evolving ecosystem, “these trends raise questions about how to best regulate app privacy in a technology-neutral way that will keep pace with rapid change and consumer adoption.” Ahmad explores how privacy pros can navigate this important and protean tension.
Full Story

DATA PROTECTION—EU

Reding Optimistic on Reforms; Others…Not So Much (June 11, 2013)

MP Chris Grayling suggests the EU’s proposed data protection reforms could “damage business growth and employment prospects” and “leave the EU uncompetitive in the global digital economy for years to come,” but Justice Commissioner Viviane Reding disagrees. Instead, she says, the reform will improve trust in the digital economy, leading to growth, InformationAge reports. Meanwhile, UK Information Commissioner Christopher Graham has concerns commissioners will not have sufficient resources to regulate under the reform. One chief information officer opines that businesses that adapt quickly to the new rules will benefit from better information sharing.
Full Story

DATA PROTECTION—U.S.

One Company’s “Training Day” (June 11, 2013)

Data breaches are on the rise. The number of data breaches in 2012 was reportedly double that of the previous year. The costs of cleaning up a data breach—both financial and in the loss of consumer trust—also continue to rise. As a result, more and more companies find themselves agreeing with Governo Attorney Nancy Kelly, who recently noted at an IAPP event that it costs less to take measures to prepare for the worst than to cover the fallout. Constant Contact, an online marketing company offering survey and social media marketing, is not regulated by privacy rules, but it has decided to be proactive on getting privacy-smart. This exclusive for The Privacy Advisor talks about why.
Full Story

ONLINE PRIVACY

Whistleblower Comes to Light, U.S. Gov’t Defends Its Programs (June 10, 2013)
Former technical assistant for the Central Intelligence Agency Edward Snowden has come forward in an online interview with The Guardian, speaking of his reasoning for handing over classified information about the National Security Agency’s PRISM online surveillance program. This comes amidst continuing national and international debate and discussion about online privacy and surveillance practices. The Privacy Advisor rounds up U.S. government defense of the program, international reactions (including potential EU-U.S. trade implications), the potential impact on online behavioral advertising and how privacy experts and advocates are reacting to the news.

PRIVACY LAW—U.S.

In Focus: New State-Level Social Media Laws (June 10, 2013)

In this week’s Privacy Tracker round-up, we look at new laws governing employer access to employee social media accounts that will soon take effect in Oregon and Washington, along with impending legislation in New Jersey, where Gov. Chris Christie seems poised to sign a law he initially conditionally vetoed. Also, the U.S. is seeking new federal law to target foreign hackers. (IAPP member login required.)
Full Story

PERSONAL PRIVACY

Tough Choices: Privacy and the Public Good (June 10, 2013)

With news of the National Security Agency program leaks flooding the media, this Privacy Perspectives blog post looks at a recent collaboration of healthcare researchers who are combining efforts to share mass troves of data for improving the research and development of cures for cancer and other rare diseases. Though the effort potentially risks re-identification of a subject, balancing personal privacy with the public good is an issue we’re facing on many fronts in our society. Where do we draw that tentative line, and how much say do we each have?
Full Story

SURVEILLANCE—U.S.

Lawyer Taking Street View Case to Appeals Court (June 10, 2013)

The U.S. Court of Appeals for the Ninth Circuit will this week hear arguments aiming to bring sanctions against Google over its collection of personal data from WiFi networks via its Street View mapping project, The Recorder reports. "Although these home networks were not password-protected, the communications transmitted over them were private and not broadcast for public consumption," Elizabeth Cabraser writes in her appellate brief. "Such communications are protected from prying eyes by the Wiretap Act, as amended by the Electronic Communications Privacy Act." Google attorneys say the data upload was unintentional and not illegal because anyone can access unencrypted WiFi signals.
Full Story

HEALTHCARE PRIVACY—U.S.

HIPAA Loopholes Allow States to Sell Identifiable Data (June 10, 2013)

HealthITSecurity reports on HIPAA loopholes resulting in the compromise of patient privacy. States are collecting medical data and selling it to researchers and other third parties. Discharge information is exempt from HIPAA privacy rules requiring the removal of 18 patient identifiers, for example. While many states remove the identifiers for discharge data anyway, Washington does not. “While the Office for Civil Rights hasn’t reported any complaints on the matter, the amount of discretion that’s allowed toward states when it goes to de-identifying data is an interesting privacy conversation,” the report states.
Full Story

SURVEILLANCE

NSA Data Mining Story Widens Into PRISM (June 7, 2013)
Following yesterday’s revelations about the NSA’s data collection from Verizon comes a story from The Washington Post outlining PRISM, a systematic program of data collection from “nine leading U.S. Internet companies, audio and video chats, photographs, e-mails, documents and connection logs” that allow intelligence analysts to track foreign threats. The Privacy Advisor rounds up the story’s many angles and provides reactions that include calls for immediate suspension of Safe Harbor and other indications this may harm U.S.-EU trade relations.

SURVEILLANCE—U.S.

Swire Calls for PCLOB Action in Light of PRISM (June 7, 2013)

In light of news about the National Security Agency’s surveillance programs—including the collection of telephone records and its PRISM program—former Clinton Administration Chief Counselor for Privacy Peter Swire, CIPP/US, “recommends that investigating these revelations should become the first priority for the newly stood-up Privacy and Civil Liberties Oversight Board.” In this Privacy Perspectives exclusive, Swire explains why such an investigation is needed.
Full Story

HEALTHCARE PRIVACY—U.S.

Audits Show Risk Assessment Requirement Not Being Met (June 7, 2013)

The HIT Policy Committee’s Privacy and Security Tiger Team is considering methods other than attestation to call greater attention to the importance of risk assessments in HIPAA Security Rule requirements in HITECH Stage 3, reports GovInfoSecurity. Tiger Team Chair Deven McGraw says many healthcare providers are falling short on conducting timely risk assessments, noting that based on HIPAA audits the risk assessment requirement “is still not being met.” Meanwhile, A HealthITSecurity report questions where fine money resulting from HIPAA security audits is going.
Full Story

PRIVACY LAW—EU

EU Regulation Round-Up: Move Toward Business-Friendly; May Be No Vote until December (June 7, 2013)

In a meeting of justice ministers from the 27 European Union member states yesterday, The New York Times reports that an agreement was reached on a “business-friendly proposal” for the contentious EU data protection regulation that would take a risk-based approach to regulating companies that gather data. However, there remains a long row to hoe, and some MEPs are now predicting there will be no vote on the regulation until December at the earliest. Editor’s Note: Somini Sengupta will be a moderator at the IAPP’s Navigate event, on June 21 in Portsmouth, NH.
Full Story

STUDENT PRIVACY—U.S.

Understanding the Family Educational Rights and Privacy Act (June 7, 2013)

Following on the heels of a March report, Complying with FERPA and Other Federal Privacy and Security Laws and Maximizing Appropriate Data Use, The Flashlight provides a Q&A with the report’s author, Steve Winnick, who serves as a senior counsel in EducationCounsel LLC, an affiliate of the Nelson Mullins Riley & Scarborough LLP law firm. Winnick dives into common misunderstandings about FERPA and takes a look into the future.
Full Story

DATA RETENTION—EU

Sweden To Pay for Failure To Implement Directive (June 7, 2013)

The Court of Justice of the European Union has held that Sweden failed to fulfill its obligations under EU law when it comes to implementing the EU Data Retention Directive, reports Hunton & Williams' Privacy and Information Security Law Blog. Sweden has been ordered to pay 3,000,000 euros. In 2010, the court found Sweden failed to transpose the directive into national law by its September 2007 deadline. Sweden complied in 2012 after internal debate over balancing privacy rights with the need to combat crime, but the commission ruled such difficulties did not justify failure to comply.
Full Story

DATA LOSS—EU

Council Fined for Data Breach (June 7, 2013)

A UK Council has been fined for breaching the Data Protection Act, eSecurity Planet reports. The council has been ordered to pay 70,000 GBP after a council employee sent a letter including personal details about an adopted child to a birth mother. The breach was caused by the council’s “underlying failure to have a clear policy and process for checking such correspondence, and relevant training for their staff.”
Full Story

SURVEILLANCE—U.S.

Gov’t Collecting Data from Verizon Since April (June 6, 2013)
The Guardian reports that the U.S. National Security Agency is now collecting millions of U.S. Verizon customers’ telephone records, under a top-secret court order dating back to April. The order requires Verizon to provide the government with such data on an “ongoing, daily basis,” the report states. The data includes location, call duration and unique identifiers. The practice is possible due to a “business documents” provision within the USA PATRIOT Act. Because the data is designated “metadata,” rather than “communications,” a warrant is not necessary. In reaction to the news, former Vice President Al Gore tweeted, “In the digital era, privacy must be a priority. Is it just me, or is secret blanket surveillance obscenely outrageous?” The AP has quoted a senator as saying collection of phone records by NSA is an “ongoing practice.” Editor’s Note: David Medine was recently confirmed as chairman of the Privacy and Civil Liberties Oversight Board (PCLOB) and Former White House Deputy Chief Technology Officer Danny Weitzner explained why privacy pros should pay attention to the PCLOB.

PRIVACY LAW—EU

Ministers To Mull Exemptions to Rule (June 6, 2013)

EU Justice Ministers will today consider granting EU institutions “a sweeping exemption” from new data protection rules that would require the institutions to employ a data protection officer and consult the European Data Protection Supervisor, EurActiv reports. The European Commission says the rule is currently stricter than general rules on data protection. The exemption would apply after the new regulation is passed, but would include the stipulation that the commission update existing law to bring it in line with the revised regulation.
Full Story

ONLINE PRIVACY—U.S.

Olhausen Worried about Regs’ Effect on Business (June 6, 2013)

Federal Trade Commissioner Maureen Olhausen still worries that restricting companies’ permissible data collection could hamper online ad startups. In a recent speech at a Digital Advertising Alliance conference, Olhausen said that “reducing the flow of information in the marketplace” could impose barriers to entry by precluding new companies from “obtaining valuable information that incumbents already possess,” MediaPost reports. Olhausen’s comments reflect concerns already raised about new privacy regulations by ad firms who worry that being designated a “third-party site” will prevent them from collecting data first-party sites, such as Amazon, for example, are permitted to collect.
Full Story

MOBILE PRIVACY

Opera Releases Mobile Browser With Privacy Built-In (June 6, 2013)

The Norwegian browser developer Opera announced this week the release of Opera Mini 4.5, a low-end mobile browser intended for “featurephones.” Notably, it has a built-in private setting that keeps any login or data from being saved to the phone. For example, friends can log in and check Facebook without worries their log-in information will be retained.
Full Story

PRIVACY LAW—U.S.

Murder-Scene Law Raises Privacy, FOI Questions (June 6, 2013)

A new law about to be signed by Connecticut Gov. Dannel Malloy, which would give family members the right to keep private the photographs of victims of murder investigations, has the Freedom of Information Commission preparing for controversy. At issue is language in the bill referring to “unwarranted invasions of privacy.” “When does an ‘invasion of privacy’ become warranted,” wondered FOIC Executive Director Colleen Murphy, speaking with The Connecticut Post. The bill was initiated following the Sandy Hook shootings, and part of the law places a year-long moratorium on the release of police recordings surrounding the incident.
Full Story

GENETIC PRIVACY

Privacy Is Major Hurdle for Research Group (June 6, 2013)

A group of geneticists have established a consortium aimed at creating database of genetic and clinical data that could be accessed by doctors and researchers across the globe, reports The New York Times. Experts from the consortium say the major challenge is a lack of standards for storing and sharing data and for assuring that patients consent to this sharing of their data. “The question is whether and how we make it possible to learn from these data as they grow, in a manner that respects the autonomy and privacy choices of each participant,” said David Altshuler of Harvard and MIT. The group consists of more than 70 medical, research and advocacy organizations active in 41 countries. (Registration may be required to access this story.)
Full Story

PRIVACY BIZ

Privacy Ref Launches Roundtable Series (June 6, 2013)

Former Staples Senior Manager of Worldwide Privacy and Compliance Bob Siegel, CIPP/US, CIPP/IT, CIPM, has announced his consulting firm, Privacy Ref, will be holding a series of roundtables for businesses looking to start up an in-house privacy program. The series includes virtual meetings organized by a Privacy Ref facilitator and is limited to 10 participants.
Full Story

GEO PRIVACY—U.S.

Budget May Stop Maine Bill Requiring Warrant for Geodata (June 5, 2013)
Maine’s House and Senate have both essentially passed LD 415, An Act To Require a Warrant To Obtain the Location Information of a Cell Phone or Other Electronic Device. LD 415 would do basically what its title says, with some 90-day delay allowances at the discretion of a judge. However, the bill does not yet sit on the governor’s desk awaiting signature. Because the bill has been assigned a fiscal note of roughly $234,000 over the next two years, it now sits with the Appropriations Committee, which must decide whether there is funding in the budget to cover the expense. This exclusive for The Privacy Advisor has the details.

PRIVACY LAW—EU

Council of the EU Releases Draft Compromise (June 5, 2013)

The Council of the European Union has released a draft compromise text in response to the European Commission’s proposed data protection regulation. According to Hunton & Williams’ Privacy and Information Security Law Blog, the text narrows the scope of the regulation and “seeks to move from a detailed, prescriptive approach toward a risk-based framework.” In this exclusive for The Privacy Advisor, Centre for Information Policy Leadership President Marty Abrams and Wilson Sonisini Senior Of Counsel Christopher Kuner both share their insights of this latest development, which has some privacy advocates up in arms.
Full Story

CHILDREN’S PRIVACY—U.S.

Biz Concerned About COPPA Compliance (June 5, 2013)

When it comes to complying with COPPA changes going into effect July 1, “Industry advocates paint a dire scenario of costly audits, abandoned projects and disrupted business models,” POLITICO reports, while privacy advocates and the Federal Trade Commission “view the expanded rules as vital to protecting kids.” The changes include requiring additional types of companies to get parental consent before collecting information from children under the age of 13. Additionally, the changes broaden the definition of personal information, which will now include photographs and videos. DLA Piper’s Jim Halpert suggests, “The proposed rule will likely dry up the market for behavioral advertising on child-directed sites.”
Full Story

DATA PROTECTION

Study: Avg. Breach Cost Is $136 Per Record (June 5, 2013)

Ponemon Institute and Symantec have released a study indicating human errors and system problems were the causes of two-thirds of data breaches in 2012, and the average breach cost is now up to $136 per record, The Wall Street Journal reports. The issues involved included “employee mishandling of confidential data, lack of systems controls and violations of industry and government regulations,” the report states. The study also found financial services incidents to be the most costly. (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

State Records Sales Pose Privacy Risks (June 5, 2013)

Businessweek reports the sale of records by various states is putting privacy at risk as the records include data “to link a person’s identity to medical conditions using public information.” Some states compile the records into databases “available for sale to researchers, companies and other members of the public,” the report states, noting, “The potential for a patient’s hospital record to be made public by anyone buying data compiled by states adds to ways privacy is vulnerable in an age of digitized health record-keeping and increasingly sophisticated hacking.” Meanwhile, Becker’s Hospital Review reports on HIPAA-compliance concerns, suggesting internal compliance measures may not be enough if vendors are violating the law.
Full Story

PRIVACY BIZ—U.S.

Lane Powell LLC Launches Privacy and Data Security Practice (June 5, 2013)

Citing the fact that “clients and potential clients are constantly talking about it,” super-regional law firm Lane Powell LLC has launched a formal Privacy and Data Security practice, with an initial group of more than 20 attorneys, based in Seattle, WA, Portland, OR, and Anchorage, AK. What do they see as the privacy market’s potential?
Full Story

PRIVACY BIZ

Evidon To Acquire MobileScope (June 5, 2013)

MediaPost News reports on privacy-compliance company Evidon’s acquisition of MobileScope, a tool used to determine mobile apps’ collection or sharing of information about users. The deal, expected to be finalized today, will see Evidon incorporating MobileScope into a subscription-based offering that allows companies to view what data is being mined from their services for the purposes of ad targeting.
Full Story

PERSONAL PRIVACY—U.S.

More Info on FTC’s Internet of Things Workshop (June 5, 2013)

While acknowledging that most appliances and medical devices are not currently connected to the Internet, the Federal Trade Commission (FTC) is looking to a future where they likely will be, MediaPost reports. On November 21, the FTC will hold a workshop on the Internet of Things. Advocacy groups and others have submitted comments to the FTC, including the Center for Digital Democracy (CDD) and the Future of Privacy Forum (FPF). The CDD and FPF, in their comments, highlight increased risk for consumers, and the FPF says without some privacy protections consumers will lose trust in the technologies. But George Mason University's Adam Thierer cautions against broad preemptive regulations that would stifle progress. Editor’s Note: Field Fisher Waterhouse Partner Phil Lee, CIPM, CIPP/E, explores the Internet of Things in this Privacy Perspectives blog post.
Full Story

GENETIC PRIVACY—U.S.

Advocates Say DNA Could Become New SSN (June 5, 2013)

Privacy advocates are concerned that DNA could become the new Social Security number, reports U.S. News and World Report. The concern follows the U.S. Supreme Court decision this week in which the justices ruled law enforcement may collect DNA swabs from inside a person’s cheek upon arrest. New York University Law Prof. Erin Murphy said she’s concerned about the ruling’s vague wording, stating DNA can now be taken in case of “serious arrests” but is not excluded from being taken in lesser arrests. Privacy expert Julian Sanchez said the ruling means police could arrest you for speeding and then “DNA can be collected and put in a federal database.”
Full Story

PRIVACY ENGINEERING

What Misconceptions Do Consumers Have About Privacy? (June 4, 2013)
“Control of personal information in the digital space, and particularly on mobile devices, presents a unique design challenge,” writes Create with Context CEO Ilana Westerman in this Privacy Perspectives post. “We can leverage existing technology to create new experiences around personal data collection that are both transparent and provide control,” she notes, “But before we can begin to think about design solutions, we need to understand consumers’ current experience and expectations of how their personal information is handled and safeguarded.”

SURVEILLANCE

UN Report: State Surveillance Violates Rights to Privacy, Expression (June 4, 2013)

The United Nations (UN) Office of the High Commissioner of Human Rights drew attention today to its recent report indicating state communications surveillance undermines the human rights to privacy and freedom of expression. “Concerns about national security and criminal activity may justify the exceptional use of communications surveillance,” said UN Special Rapporteur Frank La Rue. “Nevertheless, national laws regulating what constitutes the necessary, legitimate and proportional state involvement in communications surveillance are often inadequate or simply do not exist…Who are the authorities mandated to promote the surveillance of individuals? What is the final destiny of the massive amounts of the stored information on our communications? These questions urgently need to be studied in all countries to ensure a better protection of the rights to privacy and the right to freedom of expression.”
Full Story

PRIVACY LAW—U.S.

Are Your Telemarketing Practices In Line with TCPA Changes? (June 4, 2013)

Business Law Today reports on the Telephone Consumer Protection Act (TCPA) rule, scheduled to take effect in October. The Federal Communications Commission has revised the TCPA to include requirements for written consent when making autodialed and prerecorded telemarketing calls and text messages to cell phones and prerecorded telemarketing calls to landlines, the report states. The changes are intended to make TCPA more consistent with the Federal Trade Commission’s Telemarketing Sales Rule. In light of these changes and an upward trend in TCPA litigation, the authors recommend businesses assess their calling and text messaging practices to ensure they are in keeping with the amended rule.
Full Story

PRIVACY LAW—EU

Baroness, Green Disagree in Public Over Regulation (June 4, 2013)

Euractiv reports on a public clash between two European Parliament lawmakers charged with guiding the proposed EU data protection regulation through the governing body. Last week, German Green MEP Jan Philip Albrecht in an interview said, “Some groups in Brussels are now acting against what the European Commission has proposed on the basis of what the Parliament has demanded before,” adding, “If we pass through a legislation undermining what we have said in our resolution, undermining current law, then I think we will completely lose the trust in the European Parliament and the European Union as a whole.” In response, UK MEP Sarah Ludford posted an e-mailed response to Albrecht on her website stating she was “unpleasantly surprised” at the “highly irresponsible and misleading interview” he had given. Editor’s Note: A recent Privacy Perspectives post delves into the heightened rhetoric surrounding the proposed regulation.
Full Story

DATA PROTECTION—UK

ICO Funding Cited as Problem (June 4, 2013)

The Information Commissioner’s Office (ICO) has revealed there is a high probability the agency will not have enough funding to accomplish its goals, Information Age reports. The ICO risk register released late last week noted, “the ICO does not have enough funding to meet its obligations, the expectations of its stakeholders or achieve its plan,” adding, “In consequence, it (would have) to scale back what it wants to do and fails to deliver an acceptable level of service.” The agency has informed the government it needs more resources and has expressed concern that the proposed EU data protection regulation may have an impact.
Full Story

ONLINE PRIVACY—U.S.

Publishers Ask DC To Help Stop Cookie-Blocking Plan (June 4, 2013)

AdWeek reports that about 60 small online publishers gathering in Washington, DC, as part of an Interactive Advertising Bureau (IAB) event are seeking “to persuade lawmakers to put more pressure on Mozilla to change its plans for blocking third-party advertiser cookies by default in its Firefox browser.” The IAB’s Mike Zaneis said, “The Mozilla plan has galvanized the small web community. They haven't been as passionate about policy issues as they are this year.” Mozilla has announced the default cookie-blocking will not be included in its July release, but “small Internet websites still feel threatened,” the report states.
Full Story

ONLINE PRIVACY—U.S.

Woman Who Uncovered Patraeus Affair Files Suit (June 4, 2013)

The Tampa, FL, woman whose complaints about cyberstalking exposed the David Patraeus affair has filed a lawsuit accusing federal officials of violating her privacy, USA TODAY reports. The woman, Jill Kelley, and her husband are seeking an apology and unspecified damages, stating the officials who leaked data about them should have been protecting their privacy. "Instead we received highly hurtful and damaging publicity from willful leaks from high-level government officials that were false and defamatory," Jill Kelley said in a statement. "In addition, we also learned that our personal e-mails were wrongfully searched and improperly disclosed."
Full Story

ONLINE PRIVACY

Yahoo E-Mail Scans Not New Practice (June 4, 2013)

CNET reports that news Yahoo users will have their e-mail scanned so relevant ads may be sent to them isn’t actually news at all; the service provider has been doing so since 2011. "This is not about a new policy," said Yahoo spokeswoman DJ Anderson. "We believe having personalized experiences benefits the user. If the user doesn't want to have contextual-based or interest-based advertising, they can opt out of that through our ad interest manager." Users may have simply become aware of the change when Yahoo recently informed users they will be required to upgrade to a newer version of Yahoo mail, which would require them to accept Yahoo’s terms of service and privacy policy.
Full Story

PRIVACY LAW—U.S.

Judge: Google Must Hand Over Data; EFF, Facebook Call for User Privacy (June 3, 2013)
Network World reports District Judge Susan Illston has ordered Google to hand over data requested in 19 National Security Letters (NSLs), noting, however, that "Illston all but invited Google to try again, stressing that the company has only raised broad arguments, not ones 'specific to the 19 NSLs at issue’.” In a separate privacy issue, Google Glass will not include facial recognition technology at this time, the report states. Meanwhile, the Electronic Frontier Foundation (EFF) has filed an amicus brief in a California appellate court “urging the court to protect the privacy rights of social media users by requiring that all requests for their account information—including content—be directed to the users, rather than to third parties like Facebook.”

GENETIC PRIVACY—U.S.

Supreme Court Rules Police Can Take DNA (June 3, 2013)

The Associated Press reports that the U.S. Supreme Court has ruled police can take DNA swabs from individuals upon arrest without warrant. In a “sharply divided” 5-4 ruling, the majority said DNA testing is a legitimate police procedure. Justice Anthony Kennedy said, “Taking and analyzing a cheek swab of the arrestee DNA is, like fingerprinting and photographing, a legitimate police booking procedure that is reasonable under the Fourth Amendment.” Four dissenting justices argued that the ruling gives police new powers. Justice Antonin Scalia said, “Make no mistake about it: Because of today’s decision, your DNA can be taken and entered into a national database if you are ever arrested, rightly or wrongly, and for whatever reason.” Editor’s Note: A recent Privacy Perspectives blog post looked into the work of Heather Dewey-Hagborg, who will be speaking at Navigate, and the privacy implications surrounding DNA collection and use.
Full Story

PRIVACY LAW—U.S.

The Next Privacy Frontier: Geolocation (June 3, 2013)

With the launch of the brand new Privacy Tracker blog—a service for IAPP members focused on privacy legislation activity—the privacy team at Hogan Lovells focuses on location data and how it will be regulated in the future. As the unique and potentially sensitive nature of certain geolocation information becomes more apparent, U.S. lawmakers on both sides of the aisle are increasingly pushing legislation intended to address the privacy issues attendant to the collection, use and disclosure of geolocation information. What is the status of these bills, and how should you be preparing for their future impact?
Full Story
                                       

PRIVACY LAW—U.S.

Wyndham Case May Cut Back or Expand FTC’s Powers (June 3, 2013)

Ed Beeson writes for NJ.com on the pending Federal Trade Commission (FTC) suit against Wyndham Worldwide alleging it engaged in “unfair and deceptive practices”—specifically, telling “customers it used ‘standard industry practices’ to protect their private information” when those steps were not appropriate, according to the FTC. Beeson notes the Wyndham case stands alone because the company is seeking dismissal on the grounds that the FTC has overstepped its authority. “Depending on the outcome, the FTC could see its enforcement efforts on cybersecurity cut back,” he writes, adding, “Or it could end up walking away with expanded powers.”
Full Story

PRIVACY LAW—EU

Proposed EU Regulation: The Great Debate (June 3, 2013)

Pressure around finalizing the proposed EU data protection regulation is in full force, with several issues reaching the headlines last week. Plus, lobbying efforts by industry and advocacy are reaching new heights. One coalition of privacy advocates has banded together to get citizens to petition their European Parliament representatives and demand a strong data protection framework. This Privacy Perspectives blog post looks at some of the dialogue and imagery that is coloring the debate.
Full Story

ONLINE PRIVACY

Differing Approaches to Enforcement and Fines, Through the Lens of Street View (June 3, 2013)

The data protection laws in all 27 European member states derive from one directive, but since the directive leaves a margin of freedom to each member state concerning its implementation, there are obvious disparities in the DPAs' approaches--particularly evident when it comes to enforcement. In this exclusive for The Privacy Advisor, the cases against Google's Street View offer a good example.
Full Story

PRIVACY LAW—LATIN AMERICA

Consent is King in Latin America; Brazil’s Draft Law Talks a Big Game (June 3, 2013)

While Latin American privacy laws have largely been based on European frameworks in order to facilitate business, their prescriptive nature on data breach disclosures and cross-border transfers may more likely keep businesses away than draw them in. That was the message in a recent IAPP web conference on “Keeping Up with Data Privacy Developments in Latin America,” led by Matthew S. DelNero, partner at Covington & Burling, and Mariana Tavares de Arujo, partner at Levy & Salomao Advogados, who also discussed Brazil’s impending data protection law. While not expected to pass for some time, the law could have profound effects on business, with fines for violations that could total 20 percent of a company’s turnover.
Full Story

DATA LOSS

A Roundup of Recent Data Breaches (June 3, 2013)

Data breaches continue to plague organizations across industry sectors. From the hack of content management platform Drupal to a slew of breaches affecting personal health information, this roundup for The Privacy Advisor also includes analysis of two emerging legal arguments arising to prove financial harm in healthcare breaches, what a recent U.S. Supreme Court decision could mean for defending against data breach litigation and word that an Australian government proposal to implement mandatory breach notification legislation will increase class-action lawsuits.
Full Story

PERSONAL PRIVACY—U.S.

Should Political Campaigns Distribute Voter Data? (June 3, 2013)

In the 2012 Presidential race, the Obama for America 2012 campaign wanted to send e-mail messages to supporters asking them to contact other potential supporters and provide personal information in order to facilitate such action. The campaign decided against it in the end. “We couldn't do the whole experiment we wanted to do, because people were really worried about sending out personal information over e-mail,” said Rayid Ghani, chief scientist of the campaign. Ghani was one of the political advisers who spoke at a recent conference on political campaigns' use of data mining, MediaPost reports.
Full Story

TRAVELERS’ PRIVACY

Nude Scanners Removed, Advocates Still Displeased (June 3, 2013)

In accordance with the June 1 deadline set by Congress, the Transportation Security Administration (TSA) has removed “nude” x-ray-based body scanners from U.S. airports. But privacy advocates remain dissatisfied, citing the TSA’s continued use of different full-body scanners that employ millimeter wave technology, Los Angeles Times reports. The current scanners display a generic figure and pinpoint areas on the body where hidden objects have been detected. But Marc Rotenberg, executive director of the Electronic Privacy Information Center—which sued the TSA in 2010 over the scanners—says there are “lingering questions about whether the millimeter-wave devices are retaining images.” A TSA spokesman said the machines are programmed not to retain them.
Full Story