Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

DATA BREACH—U.S.

A Halloween Take on the Many Lives of PII (October 31, 2013)
With a complicated patchwork of state breach notification laws across the U.S., navigating the compliance landscape can be a tall task, prompting privacy lawyer Annie C. Bai, CIPP/US, to ask, “Can you believe how many different state laws we privacy pros need to reference just to determine what is PII (personally identifiable information)?” Bai notes that the definition of PII “is important because it is a trigger for breach notification requirements in 48 U.S. jurisdictions,” including Washington D.C. and Puerto Rico. “Thankfully, the spirit of Halloween has bestowed upon me some inspiration in my search for broader understanding of these definitions,” Bai writes. This Privacy Perspectives post looks at Bai’s seven PII archetypes to help better understand this complicated ecosystem. Editor’s Note: For more information, see Mintz Levin’s comprehensive chart of state breach notification laws in the IAPP Resource Center.

PRIVACY RESOURCES

To BYOD or Not To BYOD (October 31, 2013)

Bring Your Own Device (BYOD) programs allow employees to use their own devices to stay connected to, access data from or complete tasks for their organizations. While BYOD programs reportedly result in increased employee productivity and job satisfaction, they also bring privacy and security challenges. View research, sample policies and guidance in this IAPP Resource Center Close-Up to help you determine whether BYOD works for your organization—and, if it does, how to keep your data safe in the process.
Close-Up: BYOD

DATA PROTECTION—U.S.

Report Says NSA Intercepted ISPs’ Data (October 31, 2013)

Google and Yahoo are upset with a report that the NSA has secretly intercepted “large amounts of data as it flows across fiber-optic cables that carry information between the worldwide data centers,” The Guardian reports. “We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryptions across more and more Google services and links, especially the links in the slide,” said Google’s chief legal officer. Meanwhile, the American Civil Liberties Union says an FBI program that collects reports about suspicious activity lacks privacy safeguards.
Full Story

SURVEILLANCE—U.S.

Franken and Heller Reintroduce Bill on Surveillance Transparency (October 31, 2013)

Sens. Al Franken (D-MN) and Dean Heller (R-NV) have reintroduced the Surveillance Transparency Act of 2013, Broadcasting & Cable reports. A hearing on the bill, which aims to increase transparency when it comes to government surveillance, will be held November 13. "The American public is naturally suspicious of executive power, and when things are done secretly, they tend to think that power is being abused," said Franken. The bill follows a letter written by 60 Internet companies and advocacy groups pushing the president and congressional leaders for transparency when it comes to government surveillance. Meanwhile, a law enforcement official recently said scrutiny over government surveillance threatens police use of technology to solve crimes.
Full Story

PRIVACY—U.S.

States Take Action Where Federal Gov’t Hasn’t (October 31, 2013)

State legislatures around the country have rushed to propose a new series of privacy laws, The New York Times reports. More than two dozen privacy laws have been passed this year in more than 10 states, incited by increasing privacy concerns about personal data and a lack of action by the federal government. State Rep. Jonathan Stickland (R-District 92) said, “Congress is obviously not interested in updating those things or protecting privacy. If they’re not going to do it, states have to do it.” State AGs concurred recently at the IAIPP Privacy Academy. The flurry of laws can be burdensome for tech companies trying to comply; however, federal law prevents states from interfering with interstate commerce, the report states. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

E-mail Encryptors Form Dark Mail Alliance (October 31, 2013)

Online encryption organizations Silent Circle and Lavabit have announced the formation of the Dark Mail Alliance, an open-sourced tool with end-to-end encryption, Forbes reports. The group aims to improve e-mail privacy by preventing e-mails from being shared with third parties, scanned for ads or easily hacked. Both businesses earlier this year shut down their respective encrypted e-mail services rather than share users’ data with the U.S. government. Silent Circle CEO Mike Janke said, “We’re the rebels who have decided privacy is too important to compromise on,” adding, “We believe e-mail is fundamentally broken in its current architecture … This is an opportunity to create a new e-mail service where the keys are created on the device and only the user can decrypt it.”
Full Story

ONLINE PRIVACY—U.S.

Netflix Plaintiffs Say Settlement Doesn’t Help Them (October 31, 2013)

Netflix users are asking the Ninth Circuit Court of Appeals to vacate a settlement that would see the company donating millions of dollars to nonprofits, MediaPost reports. The users say the settlement doesn’t benefit them, stating they were affected by a privacy glitch in which Netflix allegedly held on to subscriber names after they had cancelled their memberships, a violation of the Video Privacy Protection Act of 1998. Netflix has denied violating the law but agreed to destroy the personal information and says the $9 million settlement is in line with privacy settlements by Facebook and Google.
Full Story

HEALTHCARE PRIVACY—U.S.

State Medical Board Releases Social Media Guidelines (October 31, 2013)

The Rhode Island Board of Medical Licensure and Discipline has released a set of guidelines for physicians’ use of social media to help establish acceptable patient privacy interaction, Health IT Security reports. The board’s Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice sets standards for protecting patients’ privacy, avoiding online requests for medical advice, acting with professionalism and being transparent about one’s credentials and aware that posts could be publicly available. In a Privacy Perspectives post earlier this year, Indiana University Health Chief Privacy Officer Valita Fredland, CIPP/US, wrote about why healthcare providers should utilize social media.
Full Story

PRIVACY COMMUNITY—U.S.

DHS Seeking a Few Good Privacy Pros (October 30, 2013)
When we reported the appointment of IAPP member Karen Neuman as the new CPO at the U.S. Department of Homeland Security (DHS), we noted she’d get help from the Data Privacy and Integrity Advisory Committee. Well, that could be you. DHS posted in the Federal Register on Monday that it is on the hunt for committee members and that interested parties should submit their applications—basically, a cover letter and a resume—by Monday, November 4. In this exclusive for The Privacy Advisor, Shannon Ballard of the DHS Privacy Office highlights what the committee’s requirements are and what those selected can expect to be doing during their three-year terms.

SURVEILLANCE—EU & U.S.

Top U.S. Intel Officials Testify; Relations Fray Further (October 30, 2013)

Top U.S. intelligence officials testified yesterday in a rare open hearing with the House Intelligence Committee, with National Security Administration Director General Keith Alexander and Director of National Intelligence James Clapper among them. While they were in concert with one another, the House committee members were, at times, singing different tunes. This exclusive for The Privacy Advisor reports on the hearing and rounds up the fallout from continued leaks about U.S. intelligence operations and how they’re affecting trade talks and the Safe Harbor with the EU.
Full Story

BEHAVIORAL TARGETING—U.S.

DMA Calls for New Privacy Laws; Marketing Questions Persist (October 30, 2013)

The Direct Marketing Association (DMA) is asking Congress “to overhaul privacy laws in order to protect companies' ability to use data for marketing purposes,” MediaPost reports. The DMA’s requests include asking Congress “to invalidate state laws ‘that endanger the value of data’ and to prohibit consumers from bringing privacy class-action lawsuits,” the report states. On the subject of direct marketing, a Forbes report entitled “Kroger Knows Your Shopping Patterns Better Than You Do” looks at one of the nation’s leading grocery store chains' ad campaigns. Meanwhile, in a separate incident, a DMA e-mail campaign this weekend “reportedly hit more than 100 spam traps and e-mail boxes of some of the world’s most prominent anti-spammers.”
Full Story

DATA PROTECTION—BRAZIL

Brazil To Consider Online Privacy Bill (October 30, 2013)

Politico reports Brazil will take up an online privacy protections bill that business groups fear will stymie the free flow of data. The bill, to be considered by Brazil’s Chamber of Deputies this week, would create restrictions on how Internet service providers use Brazilians’ personal data and would require companies to build local data centers in order to do business in Brazil. “Global data flows rely on data centers dispersed all over the world,” wrote a group of 47 industry reps from the U.S., Brazil, Europe and Japan to Brazil’s National Congress. “Thus, in-country data storage requirements would detrimentally impact all economic activity that depends on data flows.” A vote could take place Monday.
Full Story

DATA COLLECTION—U.S.

The Feds: Data Brokers’ Next Big Customer (October 30, 2013)

CNN reports on one commercial data broker “that tracks and stores the employment and salary information of millions of Americans” and its “big, new customer—the federal government.” The U.S. government is now using The Work Number, a database owned by Equifax that includes “54 million active salary and employment records and more than 175 million historical records,” in a pilot program aimed at determining eligibility for such benefits as food stamps, a World Privacy Forum report has found. The World Privacy Forum is pointing out privacy concerns, including that commercial databases such as this “do not have to meet the same strict privacy and accuracy standards that government-operated databases do,” the report states.
Full Story

CHILDREN’S PRIVACY—U.S.

Fordham Law Releases Privacy Curriculum for Middle Schoolers (October 30, 2013)

Teenagers are tough to keep track of. After school, it’s on to sports practice and social lives and the rest. But one central place they can be found en masse is online. Not only are 93 percent of 12 to 17 year olds online, according to a recent study from the Pew Internet & American Life Project, but they’re sharing more about themselves than ever before. It’s that kind of data that prompted Fordham Law’s Center on Law and Information Policy to use funds from a cy pres privacy settlement to establish open-sourced curriculum for middle school kids, reports this exclusive for The Privacy Advisor. More than a dozen U.S. law schools have signed on to the program.
Full Story

BEHAVIORAL TARGETING—U.S.

Loyalty Cardholders Concerned About Privacy (October 29, 2013)

Privacy is a factor for consumers considering whether to join loyalty card programs, Supermarket News reports. A Mintel survey has found 32 percent of consumers believe “privacy is an important attribute of any loyalty program,” the report states. The study also found that 13 percent of respondents were frustrated “with too much personal information being requested during enrollment” and 10 percent cited concerns about “a lack of control over the privacy of their information,” according to the report. Mintel’s Ika Erwina said, “Reassurance of privacy is undoubtedly a key strategic tool in loyalty program engagement, but there is a paradox at play here between personalization and privacy.”
Full Story

GEO PRIVACY

Location Tracking: Coming to a Government, Employer and Retailer Near You (October 29, 2013)
Location tracking has become a hot button issue with implications for government surveillance, employee monitoring and consumer tracking online and in-store. Hundreds of millions of users carry smartphones with them every step of the day, and as these devices send and receive electronic signals, they silently map their users’ movements. More and more organizations are seeking to utilize this data, and while the industry for location-tracking analytics is becoming more sophisticated, so too is the range of interested parties—including regulators. IAPP Westin Research Fellow Kelsey Finch examines the issue in this in-depth exclusive for The Privacy Advisor. (Editor’s Note: The IAPP is hosting a web conference on this topic Oct. 31 at 1 p.m. EDT.)

ONLINE PRIVACY

Website, Researcher Rate Sites on Practices (October 29, 2013)

Forbes reports on a fledgling site using crowdsourcing to rate the privacy policies of hundreds of websites. Called “Terms of Service; Didn’t Read,” the site’s tagline states, “'I have read and agree to the terms’ is the biggest lie on the web.” Sites with the best practices are assigned to “Class A,” while the worst are put in “Class E.” Individual aspects of policies are given a “thumbs up” or a “thumbs down.” Meanwhile, researcher Rebecca MacKinnon’s “Ranking Digital Rights” project—which ranks companies on how well they respect users’ privacy rights—was thrust into overdrive since the NSA revelations.
Full Story

ONLINE PRIVACY

The Economics and Future of Cookies (October 29, 2013)

As the IAPP reported in The Privacy Advisor last week, cookies may be reaching the end of the road—but not with a whimper. The Wall Street Journal reports Google, Facebook and Microsoft are designing their own online tracking systems “in ways that bypass the more than a thousand software companies that place cookies on websites," which could mean a radical shift in the balance of power in the $120 billion digital ad industry. Evidon CEO Scott Meyer said, “There is a Battle Royal brewing … Whoever controls access to all that data can charge rent for it—and has a tremendous advantage going forward.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

NSA Reform Bill Expected; Feinstein Backs “Total Review” (October 29, 2013)

House and Senate lawmakers plan Tuesday on introducing legislation to limit the NSA’s surveillance powers, The Hill reports. The USA FREEDOM Act, written by Sens. Patrick Leahy (D-VT) and James Sensenbrenner, Jr., (R-WI), would end the NSA’s bulk collection of phone records, increase curbs to monitoring Americans, require quicker data deletion in cases of accidental collection and create a special FISA court advocate. Sen. Diane Feinstein (D-CA), who has consistently been a staunch defender of the NSA’s programs, has called for a “total review” of all intelligence collection programs after news that the U.S. allegedly spied on national leaders of allied nations—most notably German Chancellor Angela Merkel. The White House has also said there needs to be additional “constraints” on U.S. intelligence gathering to “better balance our security needs and the security needs of our allies against the real privacy concerns that we all share.” The House Intelligence Committee will hold a rare open hearing today, which will include the NSA director and other top intelligence officials.
Full Story

PRIVACY LAW—U.S.

Lawmakers To Reintroduce Kids’ Tracking Act (October 29, 2013)

Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) have announced plans to reintroduce the Do Not Track Kids Act, which aims to prohibit targeted advertising to kids younger than 16 and create an “eraser button,” reports The Hill. The lawmakers point to a recent study from Commonsense Media showing an increase in the number of children accessing media through mobile devices as an indicator of need for the act. “The Do Not Track Kids legislation would update COPPA for this new Internet ecosystem, establish new protections for the personal information of children and teens and ensure that parents have the tools they need to protect their children’s privacy,” they said. COPPA was recently updated to prevent the tracking of kids under 13 years of age.
Full Story

STUDENT PRIVACY—U.S.

Schools Grapple With Cyberbullying and Privacy (October 29, 2013)

The New York Times reports on emerging social network monitoring systems designed to survey publicly available posts of students and the corresponding issues around free speech and children’s privacy. Now that students’ cries for help and instances of bullying and threats can be found online, several companies are offering software to help schools detect such outbursts, but do schools have the legal right to do so? Several cyberbullying cases have made their way to federal courts. American Association of School Administrators Executive Director Daniel A. Domenech said of the issue, “It is a concern and, in some cases, a major problem for school districts,” adding that the line between school and student rights can be confusing. One school administrator is weary of such online technology, saying, “The safety and well-being of our students is our top priority, but we also need for them to have the time and space to grow without feeling like we are watching their every move.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—U.S.

Mobile Devices To Become Identity Verifiers Thanks to Federal Grants (October 29, 2013)

HID Global and two of its partners have received cybersecurity grants through President Barack Obama’s National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, Dark Reading reports. The grants will be used to develop systems that will enable mobile devices to carry credentials for identity verification to improve consumer privacy among other things, the report states. Dubbed the NSTIC Key Team, the companies will enable mobile devices “to be used like smart cards to secure applications and networks for a leading social media company, a healthcare organization and the U.S. Department of Defense.”
Full Story

GEO PRIVACY

Mozilla Developing Public Data Service (October 29, 2013)

PCWorld reports Mozilla is working on a public geolocation data service using cell tower and WiFi signals to give developers “a more privacy-aware option than current alternatives.” "The data would be provided by cell towers, WiFi and IP addresses," the report states, and could be made available to the public. It’s a service already experimentally operating in the U.S., Brazil, Russia, Australia and Indonesia.
Full Story

BIG DATA—U.S.

FTC: Ignore Privacy Principles at Your Own Peril (October 28, 2013)
In a column for AdAge, U.S. Federal Trade Commissioner Julie Brill warns the data broker industry that it must protect consumer data or face the consequences. Companies that ignore “basic privacy principles do so at their own peril,” she writes, but urges the industry to join a collective creation of consumer-friendly online services, an initiative she called Reclaim Your Name. Meanwhile, GigaOM reports on the potential regulation by the FTC of the emerging Internet of Things (IoT) market. Referencing a recent settlement with TRENDnet, Hogan Lovells writes that the agency may be taking a broader view of “sensitive data.” The FTC will host a roundtable on IoT next month. An earlier Privacy Perspectives post looked at some of the comments provided to the FTC by industry and advocacy.

PRIVACY LAW

EU, Ecuador and the FTC in This Week’s Tracker Roundup (October 28, 2013)

While much of the news was focused on the EU Data Protection Regulation over the past week, a few other things of note happened in the legal realm as well. For example, the EU Parliament adopted a resolution to suspend SWIFT based on allegations that the U.S. NSA had access to EU citizens’ bank data; the FTC reached a settlement with Aaron’s, Inc., over the company’s consumer spying regime, and in Ecuador, there are concerns that a new penal code could violate citizens’ online privacy. These are just a few of the stories—in addition to information on the LIBE vote and the future of Safe Harbor and the EU regulation—in this week’s Privacy Tracker legislative roundup.
Full Story

SURVEILLANCE—U.S.

Is Privacy Becoming a Charged Political Issue? (October 28, 2013)

Last weekend, the anti-surveillance organization Stop Watching Us held a rally in Washington, DC, to express public dismay with the U.S. National Security Agency’s (NSA) surveillance programs. A video published by the group includes guest spots by several celebrities and the rally boasted politicians from both sides of the political aisle. Like the era of Watergate, widespread fears about government intrusion are back, but will that mean traditional political divides will form around privacy? Now that privacy is becoming a cause célèbre, will it give rise to more traditional political battles? Will the public begin equating privacy with the NSA? And if it does become a charged issue, what will this mean for privacy pros? This installment of Privacy Perspectives looks into these issues to see if history will repeat itself or not.
Full Story

PRIVACY COMMUNITY

Strickland New CPO at JP Morgan Chase (October 28, 2013)

Last week was the first for Zoe Strickland, CIPP/US, CIPP/G, CIPP/IT, as managing director, SVP and CPO at JP Morgan Chase. She has left her post as VP and CPO at UnitedHealth Group to take on the new role in the financial services industry. In this exclusive for The Privacy Advisor, we talk with her about new challenges, how the two jobs overlap and why CPOs “can be an asset to the firm outside the company walls.”
Full Story

DATA PROTECTION—EU

Regulation Implementation May Come Sooner Than 2015 After All (October 28, 2013)

EurActiv reports that the European Commission is prepared to ignore attempts to delay implementation of the proposed data protection regulation. Instead, the commission plans to push toward implementing the regulation by spring of 2014, despite conclusions adopted at the summit last week suggesting the regulation be introduced by 2015. Financial Times reports the vote’s delay until at least next year, should that come to pass, is an “important victory” for U.S. tech giants who will need the time to bolster their case for a watered-down version of the reforms while the heated climate surrounding U.S. surveillance revelations cools down.
Full Story

PRIVACY BUSINESS

Entrepreneurs, Businesses Focused on Privacy (October 28, 2013)

Internet companies and entrepreneurs are making headlines with their privacy-focused business ventures. The Washington Post reports on ManageURiD, formed last year to “dynamically and automatically determine how much of your sensitive personal information is available on the Internet and who is selling it” as well as manage its removal, monitor its reappearance and provide “a Personal Privacy Dashboard so you can see the current status, history and details … at any time.” Ars Technica describes how Private Internet Access, a small U.S.-based VPN, is “trying to stand up for privacy”—in part by not logging anything. Meanwhile, Mozilla’s new Lightbeam add-on for Firefox shows users “what companies are behind each cookie stored in their browsers and what information those companies are gathering.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE

Spying Fallout Continues; Countries Draft UN Resolution (October 28, 2013)

Internal documents from UK intelligence agency GCHQ indicate fears of a “damaging public debate” on the scale of its activities, The Guardian reports. GCHQ feared such a debate could lead to legal challenges against mass-surveillance programs, the report states. In the U.S., former Secretary of State Hillary Clinton called for a “full, comprehensive discussion” on the balance between privacy and security; experts debated the worth of mass data collection to begin with, and U.S. Rep. Alan Grayson (D-FL) said in an opinion piece that he learned much more about U.S. surveillance policies from the media than from intelligence meetings. Meanwhile, Germany and Brazil are reportedly working on a UN General Assembly resolution on surveillance.
Full Story

PRIVACY LAW—U.S.

Surveillance Constitutionality May Be Tested in Court (October 28, 2013)

CNET reports U.S. federal prosecutors “intend to use information gathered through the government's warrantless surveillance program in a criminal trial, setting up a possible court test of the constitutionality of such eavesdropping.” In a notice released late Friday, the Justice Department announced it will use "information obtained or derived from acquisition of foreign intelligence information conducted pursuant to the Foreign Intelligence Surveillance Act" in a  case against an alleged terrorist. A deputy legal director with the American Civil Liberties Union has described the filing as a "big deal" that "will undoubtedly set up a constitutional challenge,” the report states.
Full Story

PRIVACY—U.S.

Opinion: Civil Discovery Can Cost Suspects Privacy (October 28, 2013)

While criminal investigations respect suspects’ privacy by requiring authorities to have probable cause to examine documents stored in a place where there’s a reasonable expectation of privacy, civil discovery cases don’t grant the same protections, writes Foley & Lardner’s Matthew Lynch for Mondaq. However, Lynch writes, “discovery's evolution to address many of its recognized problems promise to also alleviate the unrecognized problem of unnecessarily broad invasions of litigant privacy.”
Full Story

PRIVACY LAW—EU

Hold Your Horses: Reg Delayed Until 2015 (October 25, 2013)
Despite indications from the European Commission that the EU Data Protection Regulation would be fast-tracked for spring of 2014, EurActiv reports today that the conclusions of the EU summit now call for the regulation to be enacted “by 2015,” which the report quotes French President François Hollande as meaning the beginning of that year. While many observers felt the regulation would certainly pass before the May 2014 elections, following the vote of the LIBE committee earlier this week, there is now speculation that the UK’s opposition to the regulation led to the delay. “A senior EU official told EurActiv on condition of anonymity that (UK Prime Minister David) Cameron had fought hard for the 2015 date and began the summit negotiations arguing that it would be better to have no deadline at all.” The same report notes that France and Germany have teamed to review their espionage relations with the U.S. and that Italy is now concerned the UK was involved in spying on Italian government officials. (Editor's Note: Need to make sense of where the EU regulation stands? We've got a web conference for that. And it's free for IAPP members.)

EMPLOYEE PRIVACY—GERMANY & U.S.

Could Works Councils Improve Orgs’ Perceptions of Consumer Data? (October 25, 2013)

A recent article in The New York Times reports that all of the Volkswagen plants in the world have an employee works council, except one in Chattanooga, TN. Mandated in Germany, works councils give employees “a voice in working with management about working conditions in their environment,” writes GMAC Chief Privacy Official Allen Brandt, CIPP/US, CIPP/E. In this installment for Privacy Perspectives, Brandt looks at the intersection of works councils and their effect on employee privacy, asking, “With an increased interest in protecting employee data, could this carry over into how the organization views its customer data?”
Full Story

ONLINE PRIVACY—U.S.

Ruling Threatens Internet Privacy, Brief Says (October 25, 2013)

The Electronic Frontier Foundation (EFF) filed a brief Thursday arguing that a court order requiring secure e-mail provider Lavabit to hand over its master encryption key undermines the security and privacy of the Internet, IDG News Service reports. Filed in the U.S. Court of Appeals of the Fourth Circuit, the brief contends the order would have allowed the U.S. government to access the personal information of all of Lavabit’s 400,000 users. “This is like trying to hit a nail with a wrecking ball,” the EFF brief stated. Meanwhile, LinkedIn’s Intro service is raising privacy and security concerns.
Full Story

DATA PROTECTION

Workarounds Put Brands at Risk (October 25, 2013)

User behavior is a major and growing source of privacy risk. We can see the extent, drivers and types of user behavior causing noncompliance issues and risks in recent research, which found 52 percent of healthcare workers globally use risky workarounds that are out of compliance with policy, and 66 percent find security protocols "burdensome." This presents an opportunity—increasingly urgent—for privacy-enhancing technologies to enable workers to do their jobs efficiently without putting the brand at risk. In this exclusive for The Privacy Advisor, David Houlding, CIPP/US, explores some of the tools available on the market today.
Full Story

PRIVACY LAW—U.S.

Rep. Johnson to Obama: Use APPS Act To Inform Bill of Rights (October 25, 2013)

In a letter to the White House, Rep. Hank Johnson (D-GA) has asked President Barack Obama to look at his proposed bill, the Application Privacy, Protection and Security Act of 2013 (APPS Act), in working toward a draft of a Consumer Privacy Bill of Rights, Broadcasting & Cable reports. The bill aims to provide more transparency, control and security for consumer data collected by mobile applications through clear notice of the terms of use and a mechanism to end the collection of consumer data. "It is time to move forward with the Consumer Privacy Bill of Rights through legislation," Johnson said in his letter, adding the administration should "keep the APPS Act in mind when looking for legislative solutions to consumer protection on mobile devices."
Full Story

BIG DATA—U.S.

Data Broker Concern Prompts Senate Probe (October 25, 2013)

Recent revelations that a company acquired by Experian may have sold personal data to a group of identity thieves has prompted an investigation by Sen. Jay Rockefeller (D-WV), MediaPost reports. The Experian report comes as Rockefeller and the Federal Trade Commission (FTC) are both already investigating the data broker industry. In a letter to Experian, Rockefeller wrote, “if these recent news accounts are accurate, they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data.” On Wednesday, FTC Commissioner Julie Brill called on Congress to enact legislation to regulate the data broker industry.
Full Story

ONLINE PRIVACY

Opinion: Google’s Terms-of-Service Announcement All Wrong (October 25, 2013)

In an opinion piece for AdAge, B.L. Ochman writes an open letter to Google that it “made a huge mistake” in the way it announced its new terms of service. “The way you did it made people angry—completely unnecessarily,” Ochman writes. Beginning November 11, Google will be able to feature users’ names and photos in “shared endorsements.” Users may opt out of the feature, but the new terms of service use complex language. Instead, Google should have made people apply to be used in such endorsements, Ochman writes, adding, “Many of us want the world to know who we are and what we think. Ask any blogger.”
Full Story

ONLINE PRIVACY

Cookies’ Days Are Numbered, but Not Without a Fight (October 24, 2013)
Despite a recent court ruling that may seem to indicate otherwise, cookies will go extinct. Firms including Google and Microsoft are already developing alternatives. What that technology will specifically look like is not clear. What is clear is that the replacement will likely concentrate huge amounts of data with a few controllers and be able to track a user across platforms—including desktop, mobile and in the home. The benefits of this new technology, though, may not outweigh the risks, writes David Tashroudian in this exclusive for The Privacy Advisor.

PRIVACY LAW—EU

What’s Next for the EU Regulation? (October 24, 2013)

“After nearly two years of deliberations, the European Parliament has come out of the legislative closet with its proposed view for a new EU data privacy framework,” writes Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E. “In many respects, the parliament has surprised many of its critics by delivering a draft proposal which is more measured than the European Commission's original text.” In this Privacy Perspectives installment, Ustaran lays out what he believes will happen to the proposed EU regulation and how many of the measures therein “are set to have a very direct impact on the cost of compliance.”
Full Story

PRIVACY ENGINEERING—U.S.

FTC’s Brill to Technologists: We Need Tech Solutions (October 24, 2013)

Speaking yesterday at the Polytechnic Institute of New York University, U.S. Federal Trade Commissioner Julie Brill expanded upon her Reclaim Your Name initiative by directly addressing the next generation of computer scientists, engineers, programmers and technologists, asking them to help develop and create technological solutions to the Big Data-privacy quandary. She presented three main challenges: finding tech solutions for the Fair Credit Reporting Act, the Internet of Things and increased transparency mechanisms. This exclusive for The Privacy Advisor looks at her speech and its call to arms.
Full Story

ONLINE PRIVACY—CANADA & U.S.

Dating Site Backs Off Purchase of Rival’s Database (October 24, 2013)

Canadian online dating site PlentyOfFish has withdrawn its offer to pay $700,000 for Texas-based dating site True.com’s customer database. The decision comes after Texas Attorney General Greg Abbott filed a petition to block the move, citing privacy concerns. True.com filed for bankruptcy protection last year. Its database contains tens of millions of customers’ personal information, including criminal and divorce histories, The Wall Street Journal reports. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—U.S.

Study: Consumers Enjoy Personalized Experience (October 24, 2013)

A recent study indicates consumers want to be understood by the businesses with which they interact, eWeek reports. In the SAS Institute survey, 71 percent of respondents said they are in fact concerned about recent news on government surveillance, but 60 percent said they expect businesses to know their preferences and understand their needs, the report states. In a post for The Wall Street Journal, University of Miami Associate Prof. Robert Plant discusses how consumers can make money off of their own data. Meanwhile, IBM’s Jeff Jonas writes that if a company is going to profit from consumer data, it must at least be transparent about it.
Full Story

ONLINE PRIVACY—EU & U.S.

France Backs Fines for Sharing with U.S. Gov’t (October 24, 2013)

France is backing EU proposals to fine companies sharing information with American intelligence services up to five percent of global revenue, The Telegraph reports. The UK is prepared to clash with France on the fines—estimated to potentially cost UK businesses £360 million per year. France has also tabled a proposal for an international data transfer levy, the report states. “Core European values, namely the respect of fundamental rights, including the right to privacy and security, also matter just as much online as offline. Recent disclosures concerning surveillance activities have cast a shadow in EU citizens trust,” said European Commission President José Manuel Barroso.
Full Story

CONSUMER PRIVACY—U.S.

What Your Biz Can Learn from Latest FTC Settlement (October 23, 2013)
The Federal Trade Commission (FTC) announced on Tuesday that Aaron’s, Inc., has agreed to settle charges that it enabled computer spying on customers by its franchises. According to an FTC press release, the company is barred from using monitoring technology and must obtain consent before using location-tracking software. FTC Bureau of Consumer Protection Director Jessica Rich said, “Consumers have a right to rent computers free of cybersyping and to know when and how they are being tracked by a company.” In its Business Center Blog, the FTC details what businesses can learn from the settlement.

CYBERSECURITY—U.S.

NIST Releases Preliminary Cybersecurity Framework (October 23, 2013)

After a short delay caused by the partial U.S. government shutdown, the National Institute of Standards and Technology’s Informational Technology Laboratory has released the Preliminary Cybersecurity Framework required under President Barack Obama’s executive order, “Improving Critical Infrastructure Cybersecurity,” of February 2013. NIST will shortly open a 45-day comment period on the preliminary framework, which will be posted here. Comments can be submitted at csfcomments@nist.gov in Word or Excel format. The feedback is vital and at the top of the document NIST outlines the types of questions they’d like answered, including issues of cost-effective implementation and existing best practices.
Full Story

DATA PROTECTION—EU & U.S.

Parliament To Vote on Suspending SWIFT (October 23, 2013)

On the heels of the Committee on Civil Liberties, Justice and Home Affairs vote for a major overhaul of current EU data protection rules, the European Parliament will now decide whether the EU-U.S. agreement on data transfers under the SWIFT payment network should be suspended. Under SWIFT, the EU provides the U.S. with EU residents’ payment data in order to thwart terrorism. But U.S. NSA revelations have raised concerns about the program. The outcome of a vote today will be nonbinding.
Full Story

CONSUMER PRIVACY—U.S.

Sen. Schumer Backs Offline Do-Not-Track (October 23, 2013)

We reported on Monday that the Future of Privacy Forum (FPF), along with nine analytics companies, proposed a retail store Do-Not-Track opt-out code of conduct, and on Tuesday, according to an FPF press release, the group received backing from Sen. Charles Schumer (D-NY). CNET News reports that eight out of the 10 major cellphone tracking companies have agreed to the code of conduct, including Euclid, a company that was questioned earlier this year by Sen. Al Franken (D-MN) about its tracking practices. The code requires stores using MAC address tracking technology to post conspicuous signs notifying consumers of the tracking and to offer a website where customers can opt out of being tracked. Schumer said, “This is a significant step forward in the quest for consumer privacy,” adding, “This agreement shows that technology companies, retailers and consumer advocates can work together in the best interest of the consumer.”
Full Story

PRIVACY

Global Business? Find Privacy Allies Throughout the Company (October 23, 2013)

Finding the C-level executive who cares most is the first step in convincing the people at the top that privacy is important. With a CEO who is most likely juggling priorities constantly, it's important to put privacy in context and bring home how a good—or bad—privacy program is going to affect the overall business. And sometimes, that requires help, Intel Chief Privacy and Security Counsel Ruby Zefo, CIPP/US, CIPM, explained during the IAPP's recent Privacy Academy in Seattle, WA.
Full Story

DATA LOSS—U.S.

Laptop Thefts Result in Medical Breaches; DoE Breach Bigger Than Estimated (October 23, 2013)

FierceHealthIT reports on a breach at California’s AMHC Healthcare where two laptops containing the personal health information of 729,000 patients were stolen. According to medical breach data kept by the U.S. Department of Health & Human Services, the breach is the second largest this year. Seton Healthcare Family in Texas has also announced a breach involving a laptop theft. Meanwhile, the Department of Energy says the number of people affected by a breach resulting in stolen data in July 2013 is more than double the number it initially estimated. A new survey indicates two-thirds of U.S. adults wouldn’t return to a business if their personal data was stolen.
Full Story

SURVEILLANCE—U.S.

A Look at the Work of Sen. Wyden (October 23, 2013)

The Atlantic profiles the work of Sen. Ron Wyden (D-OR) around U.S. surveillance, privacy and civil liberties and how it could lead to surveillance reform. Last month, together with Sens. Mark Udall (D-CO), Richard Blumenthal (D-CT) and Rand Paul (R-KY), Wyden introduced legislation with the intent of curbing some of the National Security Administration’s powers. Wyden is particularly focused on the agency’s use of geolocation. And last week, The Washington Post wrote, “If the public and the media should learn one thing from the revelations from former National Security Agency contractor Edward Snowden, it’s to pay very careful attention to what Sen. Ron Wyden says.”
Full Story

HEALTH PRIVACY—U.S.

Tiger Team Uncovers Skepticism of HIPAA Disclosure Rule (October 23, 2013)

As the U.S. Department of Health and Human Services’ Office of Civil Rights prepares to finalize rules for accounting disclosures as part of the HITECH Act, the Privacy and Security Tiger Team (part of the Office of the National Coordinator’s Health IT Policy Committee) is surveying stakeholders, writes Government Health IT, and the stakeholders aren’t thrilled. The disclosure rule allowing patients to ask for a report detailing all internal access to their records is “misguided,” says the American Hospital Association. The Confidentiality Coalition fears “frivolous lawsuits.” The National Association of Chain Drug Stores says there will be “enormous new burdens.” Comments are open through Oct. 25 if you want to chime in.
Full Story

ONLINE PRIVACY—U.S.

House Committee Meeting with Experts To Discuss Digital Privacy (October 23, 2013)

A House of Representatives committee will meet with privacy advocates, a privacy researcher and ad industry reps today to discuss digital privacy, The Hill reports. The House Commerce Committee’s Bipartisan Privacy Working Group, led by Reps. Peter Welch (R-VT) and Marsha Blackburn (R-TN), met with Google, Wal-Mart and data broker Blukai last month. Today’s meeting will include Rachel Thomas of the Direct Marketing Association, Jeff Chester of the Center for Digital Democracy, researcher Adam Theirer and the Consumer Federation of America’s Susan Grant.
Full Story

STUDENT PRIVACY—U.S.

Senators Wants Answers on Student Data Outsourcing (October 23, 2013)

Sen. Ed Markey (D-MA) wants to know how student information is being protected when it comes to data collection and analysis within the education-technology industry. Markey sent a letter Tuesday to Secretary of Education Arne Duncan asking how K-12 schools are outsourcing the management and assessment of student data to technology vendors, The New York Times reports. “By collecting detailed personal information about students’ test results and learning abilities, educators may find better ways to educate their students,” Markey wrote. “However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children.” (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—U.S.

TSA To Screen Passengers Before They Arrive at Airports (October 23, 2013)

The Transportation Security Administration (TSA) is expanding passenger screenings by searching government and private databases for data on passengers—including car registrations and employment information—before they get to the airport, The New York Times reports. The TSA says the practice, which was revealed in documents released by the TSA under government regulations on data use and collection, aims to streamline the security-check process for travelers who don’t pose a threat. “I think the best way to look at it is as a pre-crime assessment every time you fly,” said a spokesman from The Identity Project.  (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU

LIBE Adopts Compromise Amendments; Sends Draft to Council (October 22, 2013)
The Committee on Civil Liberties, Justice and Home Affairs voted Monday for a major overhaul of current EU data protection rules. The committee adopted “en bloc” a package of compromise amendments assembled by Green MEP Jan Philipp Albrecht, rapporteur for the proposed regulation, which represented only a fraction of the 3,000 amendments initially proposed to the committee earlier this year. Meanwhile, French newspaper Le Monde has reported on NSA internal memos detailing “the wholesale use of cookies by the NSA to spy on French diplomatic interests at the UN and in Washington.”

GLOBAL INTEROPERABILITY—EU & U.S.

Post LIBE Vote, Has the Safe Harbor Been Torpedoed? (October 22, 2013)

In light of the LIBE committee vote in the European Parliament, Christopher Wolf, founder and co-chair of the Future of Privacy Forum, writes, “despite the fact that a Commission-initiated review of the EU-U.S. Safe Harbor is pending, it appears the LIBE Committee effectively has called for the end of the Safe Harbor.” In this Privacy Perspectives installment, Wolf looks at Article 43a of the proposed amended EU regulation—the so-called “anti-FISA clause”—to analyze what it could mean for the Safe Harbor moving forward. Wolf warns against abandoning the Safe Harbor and asks the European Parliament and Commission to “take a deep breath, and … take a dispassionate view of (its) effectiveness” before it’s effectively “blown up.”
Full Story

PRIVACY LAW—U.S. & EU

Treacherous Waters: What the World Would Look Like Without Safe Harbor (October 22, 2013)

Following the vote of the LIBE committee in the EU Parliament on the new EU Data Protection Regulation, which would effectively nullify Safe Harbor with its requirements that U.S. companies seek permission before transferring data vulnerable to request for delivery to the U.S. government, it is only responsible for privacy pros to begin envisioning a world without the Safe Harbor agreement that allows data transfer between the world’s two largest trading partners. In this exclusive for Privacy Tracker, IAPP Westin Fellow Kelsey Finch lays out just what Safe Harbor is and what options companies will have for data transfer should it no longer be the law of the land. (IAPP member log-in required.)
Full Story

PRIVACY LAW—U.S.

SCOTUS Won’t Hear Privacy Lawsuit (October 22, 2013)

The U.S. Supreme Court will not hear a privacy case against a division of Thomson Reuters Corp. on whether it can collect and sell information on drivers provided by state agencies, Reuters reports. “The decision not to hear the matter represented a win for the commercialization of publicly available information, although U.S. law remains mixed on the subject,” the report states. The lawsuit alleged the practice violated the Driver’s Privacy Protection Act. Meanwhile, Bloomberg reports that a lawsuit claiming LinkedIn illegally mined its subscriber e-mail lists has been assigned to U.S. District Judge Lucy H. Koh—the judge who recently ruled the Google wiretapping case could go forward.
Full Story

ONLINE PRIVACY

New Open-Sourced Browser Blocks Ads by Default (October 22, 2013)

WhiteHat Security has released a new open-sourced, ad-blocking browser for OS X, InformationWeek reports. Called Aviator, the browser preserves privacy by default and treats ads like a security threat. The browser is also preconfigured to use anonymous search engine Duck Duck Go. WhiteHat Security Product Management Director Robert Hansen wrote, “(N)ot a single browser vendor offers ad blocking, instead relying on optional third-party plugins, because this breaks their business model and how they make money,” adding, “Current incentives between the user and the browser vendor are misaligned. People simply aren’t safe online when their browser vendor profits from ads.” The browser comes out after recent talks around an industry standard do-not-track option have had difficulty moving forward.
Full Story

HEALTHCARE PRIVACY—U.S.

Cali AG Releases Recommendations on ID Theft (October 22, 2013)

California Attorney General Kamala Harris has released a report, “Medical Identity Theft: Recommendations for the Age of Electronic Medical Records,” that includes guidelines for the healthcare industry and insurers on preventing and remedying medical identity theft. The report focuses on the impact of identity theft on the accuracy of medical records and recommends that healthcare providers implement an identity theft response program, build awareness of the dangers and train staff appropriately, among other recommendations. “As the Affordable Care Act encourages the move to electronic medical records, the health care industry has an opportunity to improve public health and combat medical identity theft with forward-looking policies and the strategic use of technology,” said Harris. Accompanying the report is also a guide for consumers.
Full Report

HEALTHCARE PRIVACY

Researchers Push for More Patient Data Sharing (October 22, 2013)

Two papers published in the New England Journal of Medicine back an international push to get drug companies to share patient-level data from clinical trials, the Milwaukee-Wisconsin Journal Sentinel reports. Pharmaceutical industry reformers have been calling on drug companies to release patient data in order to ensure the safety and effectiveness of new drugs. Blowback from the release of certain pharmaceuticals, including Vioxx and Avandia, has revealed the dangers of concealed clinical drug trials, the report states. A group of academics advocating for such transparency said, “The question is not whether, but how these data should be broadly shared.” A Europe-based group of researchers said, “A managed-release environment that allows sharing of patient-level data while ensuring patient privacy would create a level playing field for all stakeholders.”
Full Story

HEALTHCARE PRIVACY—U.S.

Health Privacy Startup May Have Privacy Problem (October 22, 2013)

Forbes reports on medical records startup Practice Fusion—which recently received $134 million in venture capital—and its potential privacy problem. The company offers free patient management services. It also has 75 million records of patients’ health conditions and prescriptions. The data is allegedly de-identified and then becomes available for analysts, pharma companies and market research. It launched a doctor review site in April filled with 30,000 doctor profiles and more than 2 million patient reviews. In some cases, neither the doctors nor patients knew the reviews would be available publicly. Meanwhile, Sen. Edward Markey (D-MA) has called on Walgreens to answer the privacy impact of its new “Well experience” pharmacy model.
Full Story

PRIVACY BUSINESS—U.S.

Anonymous VPN Service Shuts Down, Cites Gov’t Intrusion (October 22, 2013)

CryptoSeal Privacy, a service providing anonymous virtual private networks, has shut down the consumer service portion of its business rather than risk U.S. government intervention, Ars Technica reports. The move follows a similar business decision by former e-mail service provider Lavabit. A legal filing in Lavabit’s case has been seen as troubling for Cryptoseal, the report states. CryptoSeal wrote, “Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner … The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion and likely unconstitutional. But until this matter is settled, we are unable to proceed with our service."
Full Story

PRIVACY LAW—ECUADOR

New Penal Code Could Breach Internet Privacy (October 22, 2013)

Recently passed legislation in Ecuador, the Código Orgánico Integral Penal (the Organic Penal Code), is raising concerns from various civil society organizations that it could threaten “the inviolability, storage and subsequent analysis of information that citizens generate on the Internet and on any other telecommunications platforms like landline or cellular telephones,” Global Voices Online reports. According to some organizations raising concerns, the legislation would require all telecommunications companies to store all data traffic of its users, the report states.
Full Story

CLOUD COMPUTING—EU & U.S.

U.S. Group Lobbying To Prevent Cloud Mining in Europe (October 22, 2013)

A U.S.-based group is lobbying for a code of conduct banning cloud providers from mining data and serving ads in European schools, ZDNet reports. Many schools across Europe use services such as Google Apps for Education, but some countries, including Sweden, have banned the use of U.S.-based cloud services because they do not comply with data protection law. SafeGov has released a report on the issue and is urging Europe to consider such a code of conduct. Meanwhile, The Guardian reports on how to manage data protection and disaster recovery in the cloud.
Full Story

PRIVACY LAW—U.S.

Healthcare Breach Case a Boon for Encryption? (October 21, 2013)
A California appeals court ruled that the Board of Regents at the University of California can't be held accountable for the loss of a hard drive containing the personal health information of more than 16,000 patients. mHealth News reports that the decision hinged on the hard drive being encrypted. Officials could not confirm the data was actually accessed. The report also notes that the case was decided under California’s Confidentiality of Medical Information Act, not HIPAA. Meanwhile, Fierce Health IT reports that the Government Accountability Office is pushing the Centers for Medicare & Medicaid Services to remove Social Security numbers from ID cards, noting that the inclusion "introduces risks to beneficiaries' personal information."

DATA LOSS

Roundup: The Week in Breaches (October 21, 2013)

A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said. That breach was just one of many discovered, investigated or arbitrated in the U.S. and abroad in the last week. In this exclusive for The Privacy Advisor, we give you a roundup.
Full Story

PRIVACY

The Big Data Fight and the Garden of Eden (October 21, 2013)

In the privacy world, we often hear the argument that, in order for the information economy to thrive, personal privacy must be leveraged—that there must be tradeoffs. In a complicated Big Data landscape, conveying transparency and consumer education are huge challenges. But in the latest iteration of the well-known TED Talks, Carnegie Mellon University researcher Alessandro Acquisti—a past co-recipient of the IAPP-Privacy Law Scholars Conference Award for his work on fairness and discrimination in job hiring practices—discusses some of his research and how it shows why privacy matters. This Privacy Perspectives post looks at Acquisti’s talk and how there may be alternative privacy solutions for consumers, businesses and policymakers alike.
Full Story

PRIVACY LAW

Legislation on the Move Globally (October 21, 2013)

This week’s Privacy Tracker legislative roundup highlights changing privacy laws from the U.S. to Bahrain. Revisions to the U.S. Telephone Consumer Protection Act went into effect last week; the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs will vote today on amendments to the proposed regulation and directive, and the Bahrain cabinet has preliminarily approved a data protection law. Meanwhile, the UK Information Commissioner’s Office is considering jail time for breaches at the same time as justifying its fining practices. (IAPP member login required.)
Full Story

PRIVACY LAW—EU & U.S.

Opinion: Legislation Can’t Stop the Orbit of Technology (October 21, 2013)

“Like the Catholic Church’s Congregation of the Index of 1616, which outlawed the movement of the Earth around the Sun, so too will the European Parliament restrict transborder data flows by legislative fiat this week,” writes Omer Tene, IAPP VP of Research and Education. “Of course,” he adds, “the flow of data across borders will not cease or even diminish.” In this Privacy Perspectives post, Tene contends that legislation—a slow-moving evolutionary process—will fail to keep up with the faster-moving technological revolution, as it has in the past.
Full Story

CONSUMER PRIVACY—U.S.

Should There Be a Brick-and-Mortar Do-Not-Track? (October 21, 2013)

The Washington Post reports on the tracking capabilities for brick-and-mortar retailers and an initiative to create a sort of Do-Not-Call list for offline tracking. All WiFi and Bluetooth-enabled devices feature a MAC address, which allows routers to send data to the correct recipient. Tracking MAC addresses in a store helps retailers better understand their customers, but some are concerned about privacy. In response, The Wireless Registry, a D.C.-based startup, together with the Future of Privacy Forum (FPF), is helping to build a centralized Do-Not-Call registry for MAC addresses. FPF Director Jules Polonetsky said he is currently working out an agreement among several analytics companies, the report states. The ACLU’s Chris Calabrese, however, is concerned the plan could lead “to more tracking rather than keeping you from being tracked.” (Registration may be required to access this story.) Editor’s Note: Polonetsky will be a panelist on the upcoming IAPP web conference on brick-and-mortar tracking, Thursday, October 31.
Full Story

GOVERNMENT PRIVACY

NSA Director Retiring, Opportunity for Administration (October 21, 2013)

The Obama administration has announced that National Security Agency Director Gen. Keith Alexander plans to retire in the spring, and privacy advocates are seeing this as an opportunity to improve oversight at the agency, The Hill reports. Currently, the administration has the ability to appoint a new director without approval. However, Senate Intelligence Committee Chairwoman Dianne Feinstein (D-CA) has a proposal on the table to require Senate approval for the appointment, though Electronic Privacy Information Center Attorney Amie Stepanovich said that measure would effectively give the "Senate Intelligence Committee—which has not protected individual rights—even more power." She also expressed her hope that the next appointee is “more aware of these real constitutional and statutory issues and will make sure that individual rights are more protected."
Full Story

DATA PROTECTION—U.S.

Company Sells Customer Data to ID Theft Service (October 21, 2013)

Krebs on Security reports that an identity theft service, in the businesses of selling Social Security and driver’s license numbers and bank account and credit card data, allegedly purchased a portion of the data from Court Ventures, a company recently purchased by Experian. According to the report, the Secret Service is investigating the incident. In a statement, Experian said it acquired Court Ventures “because of its national public records database,” adding, “After the acquisition, the U.S. Secret Service notified Experian that Court Ventures had been and was continuing to resell data from U.S. Info Search to a third party possibly engaged in illegal activity.” Experian said none of its credit files were accessed.
Full Story

BIG DATA

Acxiom, MasterCard CPOs Talk Transparency, De-identification, FTC Consent Orders (October 18, 2013)
What do you get when you put chief privacy officers from two of the world’s largest Big Data businesses in the same room with an outside privacy counsel and privacy academic? Based on just one of the many compelling panels at this year’s IAPP Privacy Academy, you get conversation as robust as some of Seattle’s finest blends. In this exclusive for The Privacy Advisor, we give you the rundown on a wide-ranging discussion that provided key insights on decision-making and tactics.

FINANCIAL PRIVACY—U.S.

Are Banks Regularly Violating the GLBA? (October 18, 2013)

Forbes reports on the selling of personal information by the financial industry and new research by Carnegie Mellon University Prof. Lorrie Faith Cranor. She, along with her students, analyzed 3,422 financial institutions to better understand their data-sharing practices and to see whether they comply with the Gramm-Leach-Bliley Act (GLBA). Her research found that practices varied widely—including 27 organizations that violated GLBA regulations altogether, the report states. “There is really no way for a consumer to find the good banks,” Cranor said, “because you would never think to check all the privacy policies.” JP Morgan Chase Director of Public Affairs Steve O’Halloran said, “We post our consumer privacy notice on Chase.com. On this page, you’ll notice that customers can limit information that is shared with affiliates and non-affiliates.”
Full Story

PRIVACY COMPLIANCE—U.S.

Senate Bill Ending Shutdown Funds PCLOB (October 18, 2013)

Some observers noted this week that the U.S. Senate bill to provide continuing appropriations and effectively reopen the U.S. government also contained $3.1 million in funding for the Privacy and Civil Liberties Oversight Board (PCLOB). Was this an indication that the Senate was sneaking in extra funding for PCLOB in light of the NSA revelations and increased awareness of privacy issues? In this exclusive for The Privacy Advisor, hear from PCLOB’s executive director about where the money came from.
Full Story

WEB CONFERENCE

Where Information Security Meets Privacy Law (October 18, 2013)

Much has been said about what ought to be required of data processors and controllers with regard to securing and retaining private citizens’ personal information. But how to marry the dual demands of securing personal data while allowing proper access to those who need it, all the while complying with applicable jurisdictional and sectoral laws? Join this virtual discussion with two seasoned Brussels-based privacy and security experts and a European regulator to hear practical solutions to these challenges, and how they relate to the proposed EU data protection regulations during the IAPPs web conference “Applied Privacy in the EU—Where Information Security Meets Privacy Law,” on Thursday, November 14.
More Information

PRIVACY LAW—EU

The LIBE Vote: What It Really Means (October 18, 2013)

The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has scheduled votes on the reports on the revised data protection regulation and directive for Monday in Strasbourg. This Privacy Tracker post outlines the steps that come after Monday’s vote in order to create a new data protection law in the EU and offers insight into what EU privacy pros are saying about the likely outcome. “While this is a very important step in the process of coming to an agreement on what EU data protection rules will look like in the future, this is just step two in a process that may continue on for some time,” the report states. (IAPP member login required.)
Full Story

PRIVACY LAW—EU & U.S.

Amendment Would Require EU Permission for U.S. Law Access (October 18, 2013)

Lawmakers have introduced an amendment to the Data Protection Regulation being debated in the European Parliament that could require U.S. companies to seek clearance from European officials before complying with U.S. law enforcement requests for data, The New York Times reports. The amendment responds to U.S. NSA revelations and could be decided as soon as Monday, when the Committee on Civil Liberties, Justice and Home Affairs (LIBE) will vote on amendments to the European data protection regulation. A coalition of U.S. consumer, privacy and public interest groups have written to European Parliament expressing support for the proposed regulation. Meanwhile, a European official said the proposed regulation will not modify Safe Harbor, though there has been widespread speculation over Safe Harbor’s future. Wilson Sonsini Goodrich & Rosati’s Christopher Kuner in Brussels told the Daily Dashboard that while Safe Harbor has always been controversial and that controversy has reached a fever pitch following the Snowden revelations, he “doubts very much it will really be suspended. I think what they will push for is to get some improvements … I think it’s more realistic that Safe Harbor will always have some utility.” (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—EU

ECJ: Protection Against Passport Fraud Outweighs Privacy (October 18, 2013)

The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU's Charter of Fundamental Rights and was in line with EU law,” EUObserver reports. While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports. “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof," the court has said.
Full Story

ONLINE PRIVACY—U.S.

Texas AG Seeks To Stop Dating Service’s Database Sale (October 17, 2013)
Texas Attorney General Greg Abbott wants to stop the sale of an online dating service because of concerns about the personal information involved, KFYO reports. True.com filed for bankruptcy protection more than a year ago and is selling its assets, which include a 43-million member database—two million of whom are Texans. “The proper course is for True.com and its bankruptcy trustee to seek the customers’ permission before selling their private information to a third party—and that’s exactly what our legal action asks the bankruptcy court to require before the case proceeds,” Abbott said.

PRIVACY LAW—EU

Two Years Later, LIBE To Vote on Reg (October 17, 2013)

The Guardian reports that after two years of gridlock, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has scheduled votes on the reports on the revised data protection regulation and directive for Monday in Strausburg. An announcement on the European Parliament’s website says, “The committee will adopt a mandate for negotiations with the council in order to try and reach a common agreement on the Data Protection package before the European elections in May 2014.”
Full Story

SOCIAL NETWORKING

Facebook Changes Teen Privacy Rules (October 17, 2013)

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.”
Full Story

MOBILE PRIVACY

Indoor Location Market Set To Boom; Privacy Concerns Loom (October 17, 2013)

In a column for MediaPost, Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations” function—and the new iPhone’s motion sensor chip are raising privacy concerns. Editor’s Note: The IAPP will host the web conference Brick-and-Mortar Is Back—Emerging Privacy Issues for U.S. Retailers on Thursday October 31.
Full Story

ONLINE PRIVACY—U.S.

Brill To Headline “Reclaim Your Name” Event at NYU (October 17, 2013)

Now that the partial government shutdown is over, FTC Commissioner Julie Brill can focus on her next public speaking event. She will headline NYU-Poly’s third Sloan Cybersecurity Lecture, “Reclaim Your Name: Privacy in the World of Big Data,” to be held October 23, with a speech she promises will be “pretty colorful.” In this exclusive for The Privacy Advisor, Brill previews her talk by saying companies are already responding to her call for data transparency and the ability to correct and suppress. “I look at Acxiom’s AboutTheData website as a response to what I called for,” she said. “It’s not nearly full-blown Reclaim Your Name, but it’s a first step toward providing more transparency to consumers about data collection and use practices.”
Full Story

PRIVACY LAW—U.S.

Advocates Want Changes to Google Settlement (October 17, 2013)

A collection of privacy and consumer advocates are pressing U.S. District Court Judge Edward Davila to halt a class-action settlement that would have Google pay $8.5 million to seven nonprofit organizations and schools, MediaPost Blogs reports. Of those slated to receive the settlement money, the groups contend that the World Privacy Forum is the only organization that has previously challenged Google on any privacy issues. In a letter to Davila, the coalition—which includes the Electronic Privacy Information Center, the Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights and Privacy Rights Clearinghouse—wrote, “The groups proposed are not at all aligned with the interests of the class members.”
Full Story

BIG DATA

The Dangers of Democratized Big Data (October 17, 2013)

In a report for Forbes, Woodrow Hartzog and Evan Selinger write about the dangers of democratized Big Data. Whereas presently only a few organizations use Big Data tools and techniques, in looking at the democratization of myriad Internet-based technology such as apps, cloud storage and encryption, “Big Data seems next,” the report states. Facebook’s Graph Search is an example of the progression, allowing users to look at a vast amount of data to see what other users “like.” As technology advances and more users have access to Big Data analysis, “privacy through obscurity” will become increasingly important because having “to resort to a complete withdrawal from public life simply is too steep a price to pay for whatever benefits Big Data brings,” the authors write.
Full Story

PRIVACY COMMUNITY

IAPP Hits 14k Members, Expands Into New Space (October 17, 2013)

By coincidence, the IAPP celebrated the joining of its 14,000th member by opening up new office space this past weekend, continuing its growth in both the privacy industry and the warehouse space it occupies on the former Pease Air Force Base in Portsmouth, NH. The membership growth and need for office space obviously are closely connected. While it took more than 10 years to hit 10,000 members in 2012, membership has grown to 14,000 in 18 months since then, and the IAPP has had to add staff to support those members in their training, certification, events and publications teams along the way, along with the addition of the Westin Research Center, also housed in the IAPP’s offices.
Full Story

PRIVACY LAW—U.S.

Is DoJ Setting Up New SCOTUS Wiretapping Test? (October 17, 2013)

The New York Times reports that the U.S. Department of Justice is potentially setting up, for the first time, a Supreme Court test of whether it’s constitutional to notify a criminal defendant that evidence against him came from wiretapping. Additionally, the department’s National Security Division is looking through closed cases to find other defendants who faced similar evidence that resulted from a 2008 wiretapping law—which allowed eavesdropping on suspects without a warrant when the communications crossed borders, the report states. Columbia University Law Prof. Daniel Richman said, “It’s of real legal importance that components of the Justice Department disagreed about when they had a duty to tell a defendant that the surveillance program was used … It’s a big deal because one view covers so many more cases than the other, and this is an issue that should have come up repeatedly over the years.” (Registration may be required to access this story.)
Full Story

CLOUD COMPUTING—EU

Europe Aims To Lead With the Cloud (October 17, 2013)

The European Commission has outlined plans for the EU to become a “world leading” cloud computing market when it comes to data protection, Out-Law.com reports. While the commission acknowledges U.S. surveillance revelations “aggravated” existing concerns about foreign cloud storage, it says calls for regional-only cloud storage would be “misguided.” "Trust can be restored with more transparency and the use of high standards," the commission said. "A better overview of standards, certification of the use of those standards and safe and fair contract terms for cloud computing are essential."
Full Story

DATA RETENTION—U.S.

City To Tighten Plate-Scanning Retention Limits (October 17, 2013)

In response to an open records request, the Pittsburgh Parking Authority (PPA) will tighten its license plate scanning policy and regularly delete scanned photos from its database, the Pittsburgh Post-Gazette reports. Over the last eight years, the authority has taken millions of photos of parked vehicles and stored the data for up to 30 days in a database that potentially can be used to track a vehicle’s movement around the city, the report states. In a letter, PPA Executive Director David Onorato wrote, “This type of information will no longer be accessible, except with respect to vehicles that have outstanding parking tickets.” The Pennsylvania chapter of the American Civil Liberties Union applauded the move, with one representative saying, “It is really creepy when you can say, ‘You were at the Giant Eagle at such and such a time.’”
Full Story

CONSUMER PRIVACY—U.S.

New TCPA Rules in Effect Today (October 16, 2013)
The Federal Communications Commission’s revisions to the Telephone Consumer Protection Act (TCPA) go into effect today. The revisions require businesses to obtain express written consent before telemarketing and advertising through autodialed calls or text messages to consumer cellphones and prerecorded calls to residential phone lines, according to a Covington & Burling client alert. The revisions eliminate the exemption allowing firms to make prerecorded calls to a residential phone line if a pre-established relationship with the consumer existed. Punishment for violations of the new rules “can reach as high as $1,500 per violation (on a per call basis),” the alert states. In this Privacy Tracker exclusive interview, listen to TCPA expert Yaron Dori, partner at Covington & Burling, talk about what these changes mean for your organization and its practices, and hear advice on how best to comply. (IAPP member login required.)

PRIVACY LAW—U.S.

Are Class-Actions Becoming Too Big To Settle? (October 16, 2013)

The Recorder looks at privacy class-actions through the lens of recent suits against Google over its Street View and Gmail services, questioning whether it’s possible that plaintiffs now have too much leverage. Classes comprising millions of people and statutory damages could mean cases, such as the Street View case, become too expensive to strike a deal, the report states. As U.S. District Court Judge Richard Seeborg said in a recent class-action over Facebook’s sponsored stories, because of the class size, “even a modest per-class member payment could easily require a total settlement fund in the billions of dollars.” The “too-big-to-settle” phenomenon is likely to grow as Internet companies add to their user bases, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Does the U.S. Have a De Facto National DPA? (October 16, 2013)

Traditional thinking posits that the U.S. does not have a national data protection authority. “But tell that to Google. Or TJX. Or CBR Sytems. Or any of the dozens of other companies that have been pursued by the U.S. Federal Trade Commission (FTC) over the past several years for alleged data security or privacy violations,” writes Steptoe & Johnson Partner Jason Weinstein. In this installment of Privacy Perspectives, Weinstein writes, “The FTC has made itself America’s de facto data protection authority through aggressive use of Section 5 of the FTC Act,” and, thus far, “the FTC is batting a thousand…” Challenges from Wyndham Hotels and LabMD, however, “symbolize the frustration felt by many companies” that believe they have been victimized once by a breach and then again by the FTC.
Full Story

PRIVACY BUSINESS—U.S.

NSA Leaks Usher In Privacy Tech Profits (October 16, 2013)

Financial Times reports on the burgeoning privacy-enhancing technology business and the rising profits stemming from Edward Snowden’s surveillance disclosures. Businesses and governments, in addition to journalists, are demanding encryption services for protection. Silent Circle, which offers text and phone encryption services, is used by 16 of the Fortune 50 companies. Silent Circle CEO Mike Janke said, “We were growing 100 percent a year before the NSA/PRISM scandal; now we are growing at 400 percent.” He added, “Ten years ago, if you had encryption on a device, people asked what you are hiding. Now if you’re a businessperson and you don’t have it, people ask if you’re stupid.” Capital is also being invested in the privacy tech industry. All Things D reports that privacy startup Personal, which offers a digital vault service, has raised $4.5 million. According to USA Today, Yahoo will begin default encryption services in January. (Registration may be required to access this story.)
Full Story

BIOMETRICS

Fingerprint Sensor: Tech Wonder or Privacy Headache? (October 16, 2013)

In the wake of the news announcing the release of the new iPhone 5s, Lindsey Partridge, CIPP/US, examines what may be “the most newsworthy piece of the new mobile device”—its fingerprint sensor. The sensor allows for biometric securing of what’s becoming one the most personal devices people own. This exclusive for The Privacy Advisor offers a primer on biometrics and the potential “privacy alarms” triggered by the new sensor in multiple contexts, including legal cases involving access to PI and geolocation.
Full Story

PRIVACY LAW—U.S.

A Model Bill To Put CPOs in State DoEs (October 16, 2013)

Sheila Kaplan, independent education and information policy researcher, student rights advocate and EPIC advisory board member, has written a model bill that would install chief privacy officers in state Departments of Education (DoEs). In this Privacy Tracker blog post, Kaplan outlines the problems she sees with FERPA, the risks of not adequately protecting data held by DoEs and why tackling this problem at the state level makes sense. “Students deserve a true advocate for their rights in a data-driven environment that often places profit and corporate interests above the privacy rights of children and their families. Those who bear responsibility for student records need a reliable resource to help them manage their obligations,” writes Kaplan. (IAPP member login required.)
Full Story

BIG DATA

If Consumers Are Scared of It, Regulation Will Follow (October 16, 2013)

In this exclusive for The Privacy Advisor, iappANZ Director Peter Leonard discusses threats to Big Data’s success. “If bad practices and bad media further promote businesses and government to be less transparent about their data analytics projects, public perception of business and government colluding in secrecy will grow, prompting more prescriptive regulation,” Leonard writes, adding, “Big Data and the privacy regulatory and compliance response to it will be one of the most important areas for development of operational privacy compliance for the next five years.”
Full Story

BIG DATA

“U.S.-Style” Data Collection Spreads Globally (October 16, 2013)

The business trend of collecting the maximum amount of information about customers and potential clients is being adopted by businesses around the world, according to Forbes. One international data catalog advertisement by California-based data broker Infocore states, “For example, you might be interested in female, affluent customers in China, Hong Kong and Singapore … From that we’ll access our repository and send you a custom data summary.” The company has access to 6.5 billion records worldwide and expects to have access to 10 billion by next year, according to the report. Infocore President and CEO Kitty Kolding said, “The data industry is very nascent right now … But there is a lot of long-term profit to be had.” In some countries, however, the data is obtained through questionable methods, Kolding said, adding, “In China, there is way more data than you would think … Some of it is dodgy.”
Full Story

DATA PROTECTION—U.S.

Report: Most Breaches Come From the Inside (October 15, 2013)
A new report reveals that the most common cause of a data breach within an organization stems from inadvertent misuse of data by employees, PCWorld reports. Conducted by Forrester Research, the report, Understand the State of Data Security and Privacy, surveyed organizations from Canada, France, Germany, the UK and the U.S. with two or more employees. Approximately 42 percent of small- to medium-sized organizations surveyed had received some sort of internal data protection training. Forrester Analyst Heidi Shey, author of the report, said, “A lot of organizations haven’t invested in a dedicated privacy group or function,” and many IT departments have privacy as an extra layer, adding that, moving forward, organizations may conclude they need a dedicated privacy group. Meanwhile, startup Lookout is stepping into the bring-your-own-device arena by offering an app that bolsters smartphones against data breaches.

DATA PROTECTION—U.S.

Regulators Ask Microsoft To Tweak Policies (October 15, 2013)

European data protection regulators have asked Microsoft to tweak its Internet product policies as part of a formal probe into privacy issues, Bloomberg reports. The Article 29 Working Party has “identified a number of areas where improvements are required,” according to a statement. “Microsoft was asked to send its response very shortly, explaining how and when it would implement” the recommendations. The regulators added they are confident that an agreement will soon be reached and indicated Microsoft has been cooperative during the investigation.
Full Story

PERSONAL PRIVACY

On Embarrassing Photos and Personal Accountability (October 15, 2013)

The dynamic nature of the Internet allows for information to flow quickly, but when it involves embarrassing photos, it can be a very damaging experience for an individual. In a recent column for Salon, Caitlin Seida wrote about her experience of having one such photo go viral and the harm she experienced. However, Seida took steps to be accountable for the incident and took personal control over her photo. This Privacy Perspectives post looks into her incident and explores how businesses may improve their accountability by showing their users how they can be accountable by providing them with tools for better control over their data.
Full Story

ONLINE PRIVACY—U.S.

Google Policy Changes Raise Eyebrows (October 15, 2013)

Reuters reports Google plans to launch ads similar to Facebook’s “social” ads, which incorporate photos, comments and names of users. The changes were announced in the company’s revised terms of service last week. EPIC’s Marc Rotenberg said such ads unfairly commercialize Internet users’ images. Sen. Ed Markey (D-MA)  has asked the Federal Trade Commission (FTC) to look at Google’s privacy changes, writing in a letter to the FTC that the policy raises questions about “whether Google is altering its privacy policy in a manner inconsistent with its consent agreement with the commission and, if the changes go into effect, the degree to which users’ identities, words and opinions could be shared across the web.”
Full Story

ONLINE PRIVACY—U.S.

DMA Releases Study Touting Data-Driven Job Production (October 15, 2013)

The Direct Marketing Association (DMA) has released a study indicating data-driven marketing led to 675,000 jobs in the U.S. in 2012, The Hill reports. The study responds to an increasing focus on regulating online tracking and data-driven marketing, a push that often puts the online ad industry on the defensive. The DMA’s Rachel Thomas said the study’s release aims to help change that. Meanwhile, the Better Business Bureau says “a ‘significant minority’ of publishers don’t follow self-regulatory rules requiring enhanced notice about data collection,” MediaPost reports.
Full Story

SURVEILLANCE—U.S.

Are Providers Outside the U.S. Safer from Gov’t Intrusion? (October 15, 2013)

The Washington Post reports on the National Security Agency’s (NSA) harvesting of hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world. Each day, the NSA collects contacts from about 500,000 buddy lists and web-based e-mail accounts, the report states. Meanwhile, Solicitor General Donald Verrilli has asked Supreme Court justices not to hear the Electronic Privacy Information Center’s case asking for an immediate shutdown of NSA phone surveillance of Americans. In San Francisco, tech company BitTorrent has owned up to defacing its own billboards in order to capitalize on privacy fears following NSA revelations. And a U.S. appellate court has unsealed a set of documents pertaining to Lavabit, whose founder resisted government pressure for access to it. Ars Technica says, despite NSA revelations, foreign e-mail providers may not be any safer from government intrusion than those based in the U.S. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

Big Data Meets Local Law Enforcement (October 15, 2013)

The New York Times reports on the increased use by local law enforcement agencies of Big Data surveillance technology and the corresponding privacy concerns. Particularly, the city of Oakland, CA, recently received $7 million in federal funding to help fight terrorism at its major port. The money, according to the report, is being used for a police initiative including the purchase of gunshot-detection sensors in East Oakland and license plate scanners in police cars. Federal money is also supporting similar initiatives within the New York Police Department, including a system that links more than 3,000 surveillance cameras with license plate readers, radiation sensors, criminal databases and terror suspect lists. Oakland City Councillor Libby Schaaf said “it’s our responsibility to take advantage of new tools that become available,” but added that the system could “paint a pretty detailed picture of someone’s personal life, someone who may be innocent.” (Registration may be required to access this story.)
Full Story

STUDENT PRIVACY—U.S.

Advocacy Group Calling for Better Protections (October 15, 2013)

The New York Times reports on Common Sense Media’s call for the educational technology software industry “to develop national safeguards for the personal data collected about students from kindergarten through high school.” In a letter sent to 16 educational technology vendors, the advocacy group urged that student data be used “only for educational purposes and not for marketing products to children or their families.” Common Sense Media CEO James P. Steyer said, “We believe in the power of education technology, used wisely, to transform learning … But students should not have to surrender their privacy at the schoolhouse door.” Meanwhile, the Alabama Federation of Republican Women is criticizing an Alabama school board policy as a threat to student privacy. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

New TCPA Rules: Steep Compliance Challenge Effective Next Week (October 11, 2013)
On October 16, new Federal Communications Commission (FCC) rules regarding promotional calls and text messages take effect. These regulations amend the Telephone Consumer Protection Act (TCPA) and bring the FCC’s notice requirements into conformity with the FTC’s prior express written consent standards under the Telephone Consumer Fraud and Abuse Prevention Act (TCFAP). Although these changes increase consistency across federal regulations, they also present new compliance challenges and regulatory risks for companies with established calling lists and practices. In this exclusive for Privacy Tracker, Westin Research Fellow Kelsey Finch explains what you need to do to get in compliance and avoid sanctions. (IAPP member login required.)

PRIVACY LAW

Debating the “Where” of Online Jurisdiction (October 11, 2013)

In two European cases making headlines this week, U.S. online powerhouses successfully claimed European data protection regulators lacked jurisdiction to regulate their activity. These cases join a long line of disputes pitting global online companies against national privacy regulators and raising to the fore the thorny questions of personal jurisdiction and applicable law on the Internet. In this exclusive for The Privacy Advisor, Westin Research Fellow Dennis Holmes examines how online jurisdiction is likely to be affected by two major upcoming factors.
Full Story

PRIVACY LAW—U.S.

One State, Two Cases, Dramatically Different Outcomes (October 11, 2013)

Two public entities, the Minnesota Department of Natural Resources (DNR) and the Rock County Office of Child Support Enforcement—both with snooping employees and both facing class-actions by victims to recoup losses. So why was there a $2 million discrepancy in their outcomes? In this exclusive for Privacy Tracker, Lindsey Partridge puts the cases side by side and ponders why the two cases can seem so similar and yet end so differently. (IAPP member login required.)
Full Story

BIG DATA—U.S.

Is There a Paradigm Shift in Minimization Philosophy? (October 11, 2013)

“The recent NSA revelations demonstrate a broader trend,” writes Andrew Clearwater, CIPP/US, “A retreat from minimization in collection and a move toward minimization in use.” There’s clearly a well-established list of tools on when to apply minimization, going back to the U.S. Department of Health, Education and Welfare Fair Information Practices in 1973 all the way through the EU Data Protection Directive 95/46/EC in 1995. In this latest installment of Privacy Perspectives, Clearwater outlines the paradigm shift Big Data has posed on minimization philosophy.
Full Story

PRIVACY LAW—U.S.

Google Wants ECPA Exception Examined (October 11, 2013)

Google has asked a federal judge for permission to take questions about federal wiretapping laws before a Gmail class-action advances any further, Courthouse News Service reports. Multi-district claims over Google’s changes to its privacy policy last year have been combined into a single, massive class-action accusing the company of violating federal and state wiretapping, privacy and computer fraud laws. In a filing Wednesday, Google said it wants questions about exceptions to the Electronic Communications Privacy Act answered by the Ninth Circuit before the suit moves forward.
Full Story

BEHAVIORAL TARGETING—U.S.

Markey Urges FTC To Vet Tracking Technologies (October 11, 2013)

Sen. Ed Markey (D-MA) has called on the Federal Trade Commission (FTC) to investigate technologies that allow companies to track users across multiple devices, The Hill reports. “Such persistent and pervasive tracking raises a number of important privacy concerns for all Americans,” Markey said in a letter to the FTC Thursday. Meanwhile, a new report from privacy researchers indicates many websites are using new technology to secretly track users’ browsing habits. At the EmTech 2013 conference in Cambridge, MA, this week, a senior advisor to Microsoft CEO Steve Ballmer said a new privacy model is needed to address the ways data is gathered, eWEEK reports.
Full Story

PRIVACY

Airbnb Says “Nay” to AG’s Request for Data (October 11, 2013)

New York State Attorney General (AG) Eric Schneiderman demanded that apartment-sharing site Airbnb release user data on 15,000 New York City apartment hosts to investigate the legality of the site, but Airbnb has filed a motion in the New York State Supreme Court objecting to the AG’s demands, Business Insider reports. In a statement, an Airbnb spokesman said, “The subpoena issued by the attorney general last Friday goes well beyond bad actors and demands information about thousands of regular Airbnb hosts in New York. So, we made it clear to the attorney general’s office from the very beginning that we would never agree to this type of government-sponsored fishing expedition.”
Full Story

PRIVACY LAW—EU

Groups Lobbying “Furiously” Ahead of Oct. 21 Regulation Vote (October 11, 2013)

AdAge reports on the European Parliament’s vote on “the introduction of the harsh new Data Protection Regulation,” scheduled for October 21, suggesting it will place the “battle between Big Data and individual privacy” front and center. With such organizations as the World Federation of Advertisers and the Industry Coalition for Data Protection “furiously lobbying ahead of the vote, hoping for a lighter-touch regime to protect the interests of business,” the report notes that while this month’s vote is not the last step in the process, “it is a key step in determining the outcome.”
Full Story

SOCIAL NETWORKING

Facebook Privacy Tool To Be Removed (October 11, 2013)

Facebook has announced the final phase of removing an old privacy feature from the site, USA TODAY reports. The feature, called “Who can look up your timeline by name?” allowed users to be hidden from searches if they so chose. Those users will now begin to see removal notices from Facebook. Now, user “timelines” will only be private when marked to be seen by “friends only.” Facebook says only a single-digit percentage of users on its network were using the setting.
Full Story

PRIVACY LAW—U.S.

Google Wins Lawsuit Dismissal (October 10, 2013)
Google has won the dismissal of a lawsuit that alleged it had violated computer users’ rights by slipping electronic cookies into their web browsers in the name of targeted advertising, Bloomberg reports. Consumers sued in federal court alleging Google tricked their browsers into accepting the cookies. But U.S. District Court Judge Sue Robinson said in her opinion that users “didn’t demonstrate that Google intercepted any ‘contents or meaning’” under California’s Invasion of Privacy Act, the report states.

ONLINE PRIVACY

W3C Do Not Track in Limbo (October 10, 2013)

Yesterday, the W3C’s Tracking Protection Working Group voted on whether to continue its efforts. The results? That remains unclear. The voting itself is public and can be found here. However, even one of the group’s new chairs isn’t sure how to interpret the results. With no option clearly the winner, the Center for Democracy and Technology’s Justin Brookman, who joined the group as chair just last month, said he is unsure of the group’s next step, adding W3C Director Tim Berners-Lee would make the ultimate decision. In this exclusive for The Privacy Advisor, we break down the vote and comments from the voters.
Full Story

DATA LOSS

October Shaping Up To Be Month of Innumerable Breaches (October 10, 2013)

PII lost, stolen or compromised through human error. Cybersecurity concerns. Health data lost. Amidst this month’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach could be. “If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said. However, as The Wall Street Journal reports, he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.” In this exclusive for The Privacy Advisor, we round-up an already very busy month in data breaches and responses.
Full Story

SURVEILLANCE—U.S.

What’s Next for NSA Surveillance and U.S. Business? (October 10, 2013)

On Wednesday, the Cato Institute, a public policy research organization, held a daylong conference on the recent U.S. National Security Agency (NSA) surveillance disclosures. Titled NSA Surveillance: What We Know; What to Do About It, the conference was packed with privacy advocates and lawyers, journalists, technologists, academics and public policy and security experts. The day was also peppered with three keynotes from Sen. Ron Wyden (D-OR), Rep. Justin Amash (R-MI) and Rep. F. James Sensenbrenner (R-WI). This exclusive for The Privacy Advisor looks at some of the highlights from the day, including a new bill introduced by Sensenbrenner, and the changing paradigm for businesses providing privacy-enhancement services.
Full Story

ONLINE PRIVACY

Study Looks at Privacy Personalities (October 10, 2013)

MasterCard has released a study revealing that traditional demographics—age, gender, race—are poor indicators of consumer attitudes toward online privacy, The Washington Post reports. MasterCard conducted interviews with 9,000 Internet users globally. Theodore Iacobuzio, MasterCard vice president of global insights, said, “We were blown away … It’s all about why you go online,” adding, “Why you go on determines your attitude toward data privacy.” Iacobuzio’s team defined five online personality types: passive users, proactive protectors, solely shoppers, open sharers and simply interactors. The study also found that privacy attitudes do not change; they “determine your behavior.” Iacobuzio said, “One of the real lessons of this piece is that consumers are well-aware of how to protect (their privacy) and whether they want to or not.” (Registration may be required to access this story.)
Full Story

BIG DATA—U.S.

Data-Mining App Receives $10M in Funding (October 10, 2013)

Fast Company reports on Refresh, a mobile app that mines data of individuals present at meetings by gleaning information from social networks and other publicly available sources, and how the app has just received $10 million in venture capital. Refresh founder Bhavin Shah said, “It’s common now for each of us to have 10-plus years of posts, tweets, job history, Q&A, check-ins, etc. Now is the right time to start leveraging that fragmented information to make us more thoughtful and intelligent about our friends, colleagues and everyone we meet.” He added that Refresh’s work “allows us to anticipate who you’re going to meet today and consolidate interesting information about them into a just-in-time dossier delivered to your smartphone.”
Full Story

PRIVACY IN POP CULTURE

Eggers Book Satirizes Threat to Privacy (October 10, 2013)

The Associated Press reviews Dave Eggers’ book The Circle, which satirizes the threat to personal privacy from technology giants. “Entertained at nightly campus events by famous musicians and artists, fed by celebrity chefs and bombarded by swag, employees of the Circle corporation are expected to bask in their mutual privilege through constant oversharing in the company’s thriving social networks,” the report states. The book’s protagonist, through incentives, begins living a fully transparent life online, delivering Eggers’ message that “too many of us flock to the Internet all too willing to abandon any sense of privacy around both our personal information and our inner lives.” The New York Times wonders if the novel will change the way we use technology.
Full Story

HEALTHCARE PRIVACY—U.S.

Texas HSA Tells Providers: Get Certified (October 10, 2013)

HealthData Management reports on the Texas Health Services Authority’s efforts toward HIPAA-compliance for providers and its call for providers to become privacy and/or security-certified. Citing the potential penalties at the state and federal level—including the Texas Medical Records Privacy Act’s authorization of fines ranging from $5,000 to $1.5 million per violation—the report highlights the authority’s efforts moving forward on a voluntary HIPAA compliance certification program authorized in a 2011 state law. The Health Information Trust Alliance is creating the certification recommendations.
Full Story

DATA LOSS

Researcher Finds Encryption Flaw in WhatsApp (October 10, 2013)

A security researcher said he has found an encryption flaw making it possible for adversaries to decrypt communications sent with WhatsApp, though developers say the messages are “fully encrypted” and the company’s CEO says the report is “sensationalized and overblown,” Ars Technica reports. A computer science and mathematics student wrote in a blog posted Tuesday, “You should consider all your previous WhatsApp conversations compromised,” adding, “There is nothing a WhatsApp user can do about this … except to stop using it until the developers can update it.”
Full Story

PRIVACY—U.S.

Judge: Intelligence Director Withheld Docs Properly (October 10, 2013)

A federal judge has ruled the director of national intelligence properly withheld documents related to how his office uses databases to fight terrorism, Courthouse News Service reports. The Electronic Privacy Information Center filed suit in Washington, DC, after obtaining documents via a Freedom of Information Act request with the Office of the Director of National Intelligence on how the National Counterterrorism Center gets information from other federal agencies, the report states. Meanwhile, Director of the National Security Agency (NSA) Gen. Keith Alexander said the NSA must regain consumer and industry trust. In an opinion piece for Aljazeera America, Dan Froomkin opines that what’s needed is not promises from politicians but a public discussion of what privacy means in this new era.
Full Story

CONSUMER PRIVACY—U.S.

FTC Poised To Fill the Legislative Gap (October 9, 2013)
Federal Trade Commission (FTC) Chairman Edith Ramirez says the FTC should regulate the evolution of Big Data in the interest of consumer privacy, Ad Age reports. As such, companies should be looking at the FTC’s 2012 Privacy Report, opines attorney Alan Friel. In a recent speech, Ramirez said, “Like a vigilant lifeguard, the FTC’s job is not to spoil anyone’s fun but to make sure that no one gets hurt,” adding that consumers are harmed when companies gather more data than they need. In the absence of a national legal standard for data privacy and security, companies should be aware the FTC is willing to step in and fill the void, Friel writes.

SURVEILLANCE—U.S.

Opinion: Transparency May Prevent Draconian Law (October 9, 2013)

In an opinion piece for Computerworld, Minnesota Privacy Consultants’ Jay Cline, CIPP/US, discusses a “growing cultural divide on privacy” as indicated by the Edward Snowden revelations. A poll taken in May before the Snowden revelations revealed a 30-percent level of trust in the U.S. government. That number dropped to 19 percent four months later. “If we don’t trust our institutions, especially the government, they can’t work for us,” Cline writes. In the same poll, 70 percent of American adults said they would be more trusting of government surveillance if they were told how their personal information is protected, indicating transparency may be what is needed to prevent a grassroots movement toward “a more draconian legislative solution.”
Full Story

ONLINE PRIVACY—LUXEMBOURG & THE NETHERLANDS

Dutch DPA Unable To Take Action Against Netflix (October 9, 2013)

Online streaming service Netflix has been found in violation of Dutch privacy law, but the nation’s data protection authority is unable to take action because the company’s European headquarters is located in Luxembourg, ZDNet reports. If the company had been located in The Netherlands or outside of Europe, the regulator would have been able to take action. According to Dutch law, businesses need explicit consent from customers prior to processing data that can be directly or indirectly traced back to an individual. Sander Dekker, The Netherlands’ secretary of education, said, “Netflix gathers so much information of its customers that this can be considered extremely sensitive data … customers must give their express consent for that, which, in case of Netflix, they have not.”
Full Story

CONSUMER PRIVACY—U.S.

Bolstering Brick-and-Mortar Transparency (October 9, 2013)

Improved technology now allows brick-and-mortar retailers to collect data—including location and contacts—from customers’ smartphones, but according to research conducted by Create with Context (CwC), only 33 percent of the customers surveyed were aware of such collection. Previous research has revealed that when customers are unaware of such data collection—but then find out about it later—trust erodes. “How, then,” Ilana Westerman and Gabriela Aschenberger, both of CwC, ask, “can businesses create transparency around data collection?” In this Privacy Perspectives installment, Westerman and Aschenberger explore how brick-and-mortar retailers can be transparent and bolster their customers’ trust. Editor’s Note: The IAPP will host the web conference Bricks-and-Mortar Is Back—Emerging Privacy Issues in Retail Settings in the U.S. on Thursday, October 31.
Full Story

CONSUMER PRIVACY—U.S.

App Tracks Consumers … Right to Aisle Six (October 9, 2013)

Blouin News reports on a shopping app that tracks consumers and gives them discounts based on their location. Capable of detecting microlocation—detecting such minute details as the aisle of a store in which a consumer is standing—it communicates with the Bluetooth in users’ cellphones and alerts them to tailor-made discounts. The app’s investors and CEO “are betting on the fact that consumers won’t mind tracking if they get a significant payback from it,” the report states. The app raised $8 million in venture capital Tuesday.
Full Story

PRIVACY RESOURCES

Not a Big Tech Firm? We Can Still Help (October 9, 2013)

We at the IAPP know that it’s not only large organizations that struggle with privacy issues; small- and medium-sized businesses also need tools and guidance. With fewer employees and often lower budgets, smaller businesses have unique needs. This Close-Up offers tips and guidance from the experts on protecting consumer data, creating online privacy policies, minimizing human error and conducting employee background checks, among other tools. (IAPP member login required.)
Close-Up: Small- and Medium-Sized Businesses

PRIVACY COMMUNITY—U.S.

Rosenthal Is NAI’s New General Counsel, VP (October 9, 2013)

The Network Advertising Initiative (NAI) has announced that longtime member company representative Noga Rosenthal, CIPP/US, has joined the NAI as its general counsel and vice president of compliance and policy. Rosenthal, who was formerly the senior vice president of 24/7 Media and Media Innovation Group, LLC, “will assist the NAI in its core mission of reinforcing responsible business and data management best practices through the development and rigorous enforcement of high standards,” Ad Ops reports. “With online advertising expanding every year and the role of third parties and the technologies they employ highly debated by lawmakers and industry representatives, it is an incredibly important time to be joining the NAI team,” Rosenthal said.
Full Story

PRIVACY POLICIES—U.S.

Harvard To Hold Meetings on E-mail Privacy Policy (October 9, 2013)

A Harvard University taskforce will hold two meetings this month to collect feedback from students, faculty and staff on the school’s e-mail privacy policies, Boston.com reports. The move comes after fallout from revelations earlier this year that school administration officials covertly searched approximately 14,000 e-mails to find the leak that led to a cheating scandal. In addition to the two meetings, the taskforce has launched a discussion blog and has met several times over the summer to define “underlying principles and questions that it hopes to discuss with the community in the coming months,” according to a university statement, which added, “Among the principles: transparency about the realities of technology, the importance of fostering trust in the Harvard community and respect for the privacy interests necessary to ensure academic inquiry.”
Full Story

DATA PROTECTION—CANADA

He Protects the Data ... By Destroying It (October 9, 2013)

You might call Ken Clupp a privacy professional by proxy. While he doesn't draft privacy policies or model contracts, he's certainly on the defensive line when it comes to protecting data. How does he protect it? He makes sure the important stuff is shredded into such tiny pieces it couldn't ever be put back together again. This exclusive for The Privacy Advisor describes Clupp’s unique position within the Royal Canadian Mounted Police and might surprise you with what you don’t know about shredding.
Full Story

PRIVACY LAW—U.S.

What CalOPPA’s New Disclosure Requirements Mean for Your Business (October 8, 2013)
On Friday, September 27, Gov. Jerry Brown signed into law California Assembly Bill 370, which amends the California Online Privacy Protection Act requiring businesses to disclose how they respond to Do-Not-Track (DNT) signals. The new law, which may effectively apply to any website or mobile app in the world, is the first to officially address the DNT mechanism endorsed by the Federal Trade Commission and debated by industry. While the disclosures required under the new law appear straightforward, they present formidable compliance challenges for covered businesses given that they mandate the implementation of standards and concepts that are not well settled in law or practice. In this exclusive Privacy Tracker post produced by the IAPP Westin Research Center, we examine the language of the new provisions and discuss some of the resulting complexities. (IAPP member login required.)

PRIVACY LAW—EU

Justice Ministers Support “One-Stop Shop” (October 8, 2013)

European justice ministers on Monday agreed “in principle” to accepting a “one-stop shop” framework for organizations doing business within the EU, IDG News Service reports. The rule would set up a system whereby businesses processing personal data of Europeans would report to one data protection authority instead of as many as 28. French officials had called for a joint decision-making panel among data protection authorities, but Irish officials strongly opposed the proposal. Both Google and Facebook have their European headquarters in Ireland. Lithuanian Justice Minister Juozas Bernatonis said the aim is “to ensure legal certainty and reduce the administrative burden.” EU Justice Commissioner Viviane Reding said the move will benefit the consumer: “A citizen who has a problem will address himself to his own data protection authority not, as is currently often the case, a foreign authority.”
Full Story

SURVEILLANCE

EU-U.S. Safe Harbor, Australian Gov’t Actions Questioned (October 8, 2013)

Press TV reports on the European Parliament's Electronic Mass Surveillance of EU Citizens Inquiry’s discussion on the EU-U.S. Safe Harbor data sharing agreement and concerns “the system is flawed and allows for wide-scale abuse by the firms themselves and easy infiltration by U.S. intelligence agencies.” Christopher Connolly of Australian-based consulting firm Galexia told the committee that “many claims of Safe Harbor membership are false”—to the tune of 427 organizations “with hundreds of millions of customers.” Meanwhile, ABC News reports on documents obtained under Freedom of Information laws showing Australia’s government “knew about the secret U.S. Internet spying program PRISM months before a whistleblower made details public.”
Full Story

ONLINE PRIVACY

W3C To Vote on DNT Effort Wednesday (October 8, 2013)

Web standards group the World Wide Web Consortium is set to vote Wednesday on whether it will continue with its Do-Not-Track (DNT) standard, The Hill reports. Justin Brookman, the group’s newly appointed co-chairman, said he expects stakeholders “will express a desire to move forward,” adding, “We’ve had a couple of calls under the new leadership now, and so far the new structure seems to be working.” If the group expresses a desire to not move forward, Brookman said it would be “better to end it now than spend another two years squabbling and not coming to a resolution because people aren’t invested in the process.” The Washington Post reports that the increasing move by consumers to mobile will likely make current cookie-based DNT technology less relevant. According to several surveys, the majority of users now surf the web via mobile apps rather than browsers.
Full Story

DATA PROTECTION—U.S.

AGs: We Aren’t Afraid To Flex Our Muscles (October 8, 2013)

Bloomberg reports on a session at the IAPP’s Privacy Academy last week in which representatives from the offices of three state attorneys general (AGs) said they aren’t reluctant to bring actions against companies involved in data breaches. Vermont Attorney General William Sorrell said AGs would bring such action to “serve as an example to other companies and … to have a relatively equal playing field.” Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, of the California AG’s office pointed to the recent creation of a privacy unit under California AG Kamala Harris as proof of privacy’s importance to the state.
Full Story

ONLINE PRIVACY—U.S.

Plaintiffs Seek Class-Action Over E-mail Scanning (October 8, 2013)

A complaint filed in the U.S. District Court for the Northern District of California alleges Yahoo violated California privacy and federal electronic communications laws by scanning nonusers’ e-mails in the name of targeted ads, Bloomberg reports. The plaintiffs, who are not Yahoo users, allege Yahoo’s interception of messages sent to a Yahoo subscriber in order to profile, collect data and scan for keywords violates California’s Invasion of Privacy Act and the Electronic Communications Privacy Act. The complaint says the practice is “the type of behavior that the U.S. Congress and the California legislature has declared should not be tolerated in a free and civilized society.”
Full Story

ONLINE PRIVACY—EU & U.S.

Analytics Altered for EU Privacy (October 8, 2013)

In a surprise turnaround, according to IDG News Service, Google will begin offering data processing agreements to websites using Google Analytics in the EU, Iceland, Norway and Switzerland. Since 2011, Google has only offered the agreements in Germany, but after pressure from the Article 29 Working Party to make the agreements EU-wide, Google said in a statement, “Over the last few years, Google Analytics customers have asked us to offer data processing agreements that clarify how Analytics data is stored, used and secured. In response to this demand, we’re pleased to provide an optional data processing agreement to Google Analytics customers,” adding, so far, the agreement will only be available in English. The Dutch data protection authority (DPA) has not yet commented, but one privacy expert said the move is significant, adding, “It’s clearly the result of the close coordination of the different DPAs in this case.” Meanwhile, the U.S. Supreme Court has declined a Google Adwords privacy lawsuit.
Full Story

DATA PROTECTION—EU

Avoiding Breach Fines (October 8, 2013)

With a new 24-hour breach reporting mandate in place for companies doing business in the EU, WatchDox Co-founder and CEO Moti Rafalin writes for ITProPortal, “Businesses in Europe now get a single day in which to figure out what went wrong, who could be hurt by it and how they will prevent it from happening again,” adding, “With that kind of stringent reporting regulation on the books, it’s hard to imagine why any electronic communication service companies … would fail to do everything possible to avoid security breaches.” With potentially more strict breach mandates on the horizon within the proposed EU regulation, “the choice organizations face now is whether to invest in prevention or suffer the consequences of data loss in the face of new regulations and potential litigation,” Rafalin writes.
Full Story

PRIVACY LAW—U.S.

White House Pursuing Online Privacy Bill (October 7, 2013)
Now 18 months out from President Barack Obama’s unveiling of a proposal for a Privacy Bill of Rights, Politico reports that the White House is actively working on legislation that would “boost online privacy safeguards for consumers.” According to the report, the bill would define privacy rights, convene further multistakeholder approaches to defining standards and give the FTC authority to enforce codes of conduct. The Commerce Department is helping to draft the legislation, according to the report, and Rep. Lee Terry (R-NE), chairman of the House Energy and Commerce Subcommittee, has been approached about helping to shepherd the bill through Congress. The Internet Association, Direct Marketing Association and others are lining up to make sure their voices are heard. Urgency is lent by continuing NSA revelations, such as today’s news that the National Security Agency used a Firefox flaw to target users of the anonymous Tor network.

PRIVACY LAW—EU

Will Regulation Create Euro-Only Cloud? (October 7, 2013)

While the originally proposed EU Data Privacy Regulation did not include provisions to address cloud computing, several amendments have been added since. The New York Times reports that among those proposed, one bars transfers of data from EU to U.S. clouds without informed consent and another would require such transfers to come with a notification “to the data subject of such transfer and its legal effects.” EC Vice President Neelie Kroes says, “European citizens will not embrace the cloud if they are worried for their privacy or for the security of their data,” and other EU regulators seem to agree, calling for the development of European clouds. But outside the EU, others question the effect of creating European clouds. (Registration may be required to access this story.)
Full Story

PRIVACY LAW

Tracker Roundup: From Government Surveillance to Presumption of Harm (October 7, 2013)

While U.S. regulators mull over the need for rules surrounding drone use by law enforcement, Montana’s new gun owner healthcare privacy law went into effect and California continues to shape privacy law moving toward a “presumption of harm” in breach cases, but one op-ed claims its “revenge porn” law doesn’t do enough. A Zimbabwean law established a central SIM card database, and Australia’s information commissioner has released a best practice guide for app developers. This Privacy Tracker weekly roundup offers information on all these issues and more, including what regulators had to say at both the IAPP Privacy Academy and the 35th International Conference of Data Protection and Privacy Commissioners. (IAPP member login required.)
Full Story

DATA LOSS

A Big Week in Breaches (and Potential Breaches) (October 7, 2013)

Amidst last week’s reports of a hack affecting 2.9 million customers, Adobe is resetting relevant customer passwords and “notifying customers whose credit or debit card information may have been compromised.” Meanwhile, in the wake of privacy concerns about the reuse of inactive Yahoo e-mail addresses, PCWorld reports on Microsoft’s recycling of old addresses. And from medical data to personal information, breaches are being reported across the globe. In the UK, human error resulted in the exposure of hundreds of personal e-mail addresses, while the Information Commissioner's Office has revealed that despite prior warnings, sensitive personal data was “incorrectly handled” by Luton Borough Council staff. In Ireland, The Journal reports on 11 patient data breaches at hospitals in a six-month period. And in the U.S., North Carolina-based CaroMont Health exposed about 1,300 patients’ data in an unsecure e-mail, and Natural Provisions, a Vermont grocery store chain, has agreed to pay $30,000 to settle a violation of state data breach laws, Mondaq reports.
Full Story

MOBILE PRIVACY

Advertisers Finding New Ways To Track Mobile Users (October 7, 2013)

The Boston Globe this weekend looked at new trends in mobile tracking—even if “tracking is a dirty word” now, according to Eric Rosenblum, COO at Drawbridge, a start-up that is “observing your behaviors and connecting your profile to mobile devices.” Thus, advertisers are now able to connect desktop browsing with mobile devices based on app downloads and other indicators. Other firms, like Flurry, Velti and SessionM are doing similar work in helping advertisers like Ford, American Express and Expedia better target potential customers, according to the report. For many advertisers, the report says, “cookies are becoming irrelevant.”
Full Story

ONLINE PRIVACY

Ad Groups Working on New Tech for Opt-Out (October 7, 2013)

With the W3C’s efforts on Do Not Track moving along again with a call October 9, The San Francisco Chronicle details work by the Digital Advertising Alliance and the Interactive Advertising Bureau to develop technology that would allow consumers to opt out of online tracking “when methods other than traditional cookies are deployed.” The article focuses on a firm called BlueKai, which develops technology for data transfer independent of cookies, but with “the same transparency and notices that cookies have.”
Full Story

PRIVACY COMMUNITY—U.S.

More Privacy Victims of the Govt. Shutdown (October 7, 2013)

Groups tasked with U.S. intelligence oversight have suffered a setback at the hands of the U.S. federal government shutdown. According to a Politico report, the five-member Review Group on Intelligence and Communications Technologies, the independent surveillance oversight board created by President Barack Obama to respond to criticisms of the National Security Agency’s activities, met with Congressional intelligence leadership on Tuesday, but member Michael Morell, former director of the CIA, declined to take part, saying it was inappropriate in light of the shutdown. Then, on Friday, the Review Group’s staff was furloughed by the Office of Director of National Intelligence James Clapper. The volunteer board is free to meet, but all travel funds, etc., are frozen. Similarly, the Privacy and Civil Liberties Oversight Board was supposed to hold a public hearing Friday on proposals for changing surveillance programs but postponed the session because witnesses were unable to appear. Roughly 70 percent of the intelligence community in the U.S. is currently on furlough. Meanwhile, some are questioning why the FTC, for example, has chosen to cut off all access to its website during the shutdown.
Full Story

STUDENT PRIVACY—U.S.

Data Repository Debate Continues (October 7, 2013)

The New York Times reports on the ongoing questions surrounding school district plans to outsource student data storage and the privacy implications. The article focuses on how a Colorado superintendent saw nonprofit data repository inBloom as a fix for managing data currently in multiple databases in the cloud. But “a series of parents, school board members and privacy lawyers assailed the plan to outsource student data storage to inBloom.” Among those who voiced concerns was EPIC’s Khaliah Barnes, who said, “While we understand the value of data for promoting and evaluating personalized learning, there are too few safeguards for the amount of data collected and transmitted from schools to private companies.” The district is expected to decide on the plan by January, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Will Voters Support “Presumption of Harm” in Breach Cases? (October 4, 2013)
In a Mondaq report, Julian D. Perlman of BakerHostetler examines California’s move toward “amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer's express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.” Perlman writes of California Secretary of State Debra Bowen’s approval of the necessary steps to bring the Personal Privacy Protection Act to California voters, noting it “would create presumptions that an individual's personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in,” bringing California closer to the EU’s data collection and sharing approach.

DATA BREACH

2.9 Million Customers Affected by Cyber-Attack (October 4, 2013)

Adobe has confirmed that 2.9 million customers had private data including passwords and payment card information stolen “during a ‘sophisticated’ cyber-attack on its website,” BBC reports. The illegal access of a variety of products’ source code is also being investigated, the report states. “We deeply regret that this incident occurred," said Adobe CSO Brad Arkin, adding, “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.” However, a security expert has told BBC, “Access to the source code could be very serious … if hackers manage to embed malicious code in official-looking software updates, they could potentially take control of millions of machines.”
Full Story

PRIVACY PROFESSION

Experts Highlight Current, Future Challenges (October 4, 2013)

In an in-depth feature for Data Informed, Eric Lucas highlights just a few of the key moments from this week’s IAPP Privacy Academy in Seattle, WA, quoting key concerns and tips from some of the speakers who addressed the international attendees. Howard Schmidt, for example, highlighted the profession’s challenges stemming from the link between privacy and security, noting, “Privacy and security are two sides of the same coin. Without security, you have no privacy. Privacy is the goal, security is the means.” Lucas also quotes several other privacy professionals, including keynote speaker Stewart Baker’s discussion of the “privacy panic” that spurred American privacy law. Meanwhile, Inside Counsel looks at how CPOs manage risk, focusing on insights from experts including Maureen Cooney, CIPP/US, CIPP/G, and Nuala O’Connor, CIPP/US, CIPP/G, at the recent Women, Influence and Power in Law conference.
Full Story

ONLINE PRIVACY—U.S.

Silk Road Bust Shows Feds Penetrating Deep Internet Anonymity (October 4, 2013)

The bust this week of the notorious online entrepreneur Dread Pirate Roberts, now known to be Ross William Ulbricht, a 29-year-old from San Francisco, CA, and the closing of his Silk Road online marketplace for illicit drugs and other sundries, shows U.S. law enforcement is infiltrating ever deeper into the “Deepnet” or “hidden Internet,” writes CSO Online. Silk Road operated on the Tor anonymity network and was used by thousands to get home deliveries of everything from cocaine to fake passports. Because of Tor’s ability to shield IP addresses and online personas, it can be difficult to uncover the identities of those running these kinds of marketplaces that are hidden from the vast majority of Internet users. In this case, it may be that Ulbricht was undone by his use of a Gmail address.
Full Story

TRAVELERS’ PRIVACY—U.S.

TSA’s “Pre-Check” Raising Concerns (October 4, 2013)

The Washington Post reports the Transportation Security Administration (TSA) Pre-Check program, which is due to formally launch this fall, “will already have the enthusiastic endorsement of frequent travelers—and an equally enthusiastic denouncement from privacy advocates.” The Pre-Check “trusted travelers” program may allow enrollees to bypass airport security lines, but it has privacy advocates pointing out that even those who pay the fee to enroll have no guarantee they’ll be included and those who are excluded may not be told why. “If you sign up, you’ll want to keep your nose clean for the rest of your life,” noted the Center for Democracy & Technology’s Gregory Nojeim, “because that’s how long the FBI will keep your fingerprints.” (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—U.S.

McAfee: “What Idiot Put This System out There?” (October 4, 2013)

While some said the criticism of privacy protections in the Affordable Care Act’s implementation was political grandstanding, at least one noted cybersecurity guru is right there with them. In a scathing criticism of the technical implementation of the Affordable Care Act, John McAfee said it is a hacker’s “dream.” Because there is no central organization of the program, “anybody can put up a web page and claim to be a broker for this system … [and] it’s not something software can solve.” An unsuspecting person is likely to think a rogue website is real, deliver up Social Security number and various other intimate health details, only to discover the site is fake and built to steal identities. Retirees, McAfee predicts, will have their savings “wiped out in one day because [they] signed up for Obamacare.”
Full Story

PRIVACY LAW—U.S.

Opinion: CA Revenge Porn Law Doesn’t Go Far Enough (October 4, 2013)

On Tuesday, Gov. Jerry Brown continued California’s trailblazing in privacy law by signing into law the country’s second “revenge porn” law (New Jersey was first), “levying possible jail time for people who post naked photos of their exes after bitter breakups.” However, writes Emily Bazelton for Slate, the bill doesn’t go far enough. “It makes it a misdemeanor offense to post revenge porn only if a prosecutor shows that the poster intended to inflict emotional distress, rather than treating the act of posting a sexual photo without consent as an objectively harmful invasion of privacy. And the punishment wouldn’t apply if the subject of the photo took the picture herself, which means it wouldn’t help people whose exes persuaded them to hand over photos as a sign of trust.”
Full Story

PRIVACY LAW—EU

At Academy, Experts Weigh In on Regulation (October 3, 2013)
The EU draft regulation—something originally proposed nearly two years ago—was the center of attention Wednesday afternoon at one Privacy Academy breakout session featuring a panel that included Ireland Data Protection Commissioner Billy Hawkes, Bird & Bird Partner Ruth Boardman and Promontory Financial Services Group Managing Director Simon McDougall, CIPP/E. This exclusive for The Privacy Advisor examines the perceived rut the regulation is in—with McDougall suggesting it is on step one of 30—and what should be expected with a potential regulation, including predictions it will be more prescriptive around data retention. Meanwhile, reports suggest more than one third of smaller EU firms “are risking prosecution under data retention laws by hoarding data beyond the scope and period required by law.”

PRIVACY LAW—U.S.

Hulu Seeks Dismissal of VPPA Case (October 3, 2013)

Hulu is seeking dismissal of a lawsuit accusing it of violating the federal Video Privacy Protection Act (VPPA) “on the grounds that the web users who filed suit didn't suffer any injuries,” MediaPost News reports. Hulu is facing a potential class-action for allegedly violating the law “by revealing information about their movie-viewing history to comScore and Facebook,” the report states. But in court papers filed Wednesday, Hulu contends that the law specifies those who are “aggrieved” by violations may seek damages. “Congress could have worded the VPPA to provide monetary relief merely on a showing of an improper disclosure,” Hulu’s motion states. “But it did not do so.”
Full Story

ONLINE PRIVACY—U.S.

“Big Data” Likened to Atomic Power and Other NSA-Related News (October 3, 2013)

GigaOM quotes a scientist's suggestion that Big Data is akin to atomic energy in that “it’s very beneficial when used ethically and downright destructive when turned into a weapon.” Meanwhile, in its ongoing series examining the digital trails we leave behind “and who potentially has access,” NPR considers whether the Fourth Amendment provides any protection. And a Tech Dirt feature focuses on 2013 IAPP Vanguard Award winner and former Department of Homeland Security (DHS) CPO Mary Ellen Callahan, CIPP/US, founder and chair of Jenner & Block’s Privacy and Information Governance Practice. The report cites Callahan’s comments in support of protecting Americans’ privacy rights amidst what its author references as a “lack of respect for privacy in both (DHS) and the wider intelligence community.”
Full Story

PRIVACY LAW—U.S.

Telemarketing Rules Go Into Effect this Month (October 3, 2013)

Mintz Levin’s Privacy and Security Matters reports that the Federal Communications Commission telemarketing rules go into effect on October 16. The rules require companies to gain express consent before calling consumers with prerecorded messages or “robocalling” wireless numbers, the report states. Consent must be written and include the number and signature of the consumer. While an electronic signature is acceptable, the agreement must also state that consent is not required “as a condition of purchasing any property, goods or services.”
Full Story

DATA LOSS—U.S.

School District, Health-Related Breaches Reported (October 3, 2013)

A New Orleans teachers' union claims the East Baton Rouge Parish school system violated its employees’ privacy rights when it purchased a full-page ad to congratulate—by name—1,113 educators, The Advocate reports. In Illinois, a local hospital is alerting some of its patients of a possible data breach after a laptop was stolen from an employee’s car. In California, a public health unit is notifying almost 600 patients that their protected health information has been compromised after a laptop was stolen there. And in Iowa, law enforcement is investigating a breach of electronic medical records after a third-party company gained access to the system using an authorized user’s password. Meanwhile, healthcare experts have been discussing concerns related to the need to share veterans’ healthcare data and recent breaches at Veterans Affairs.
Full Story

BIG DATA

Opinion: Why Data Center Locations Matter (October 3, 2013)

Andy Thurai and David Houlding of Intel write for Venture Beat about the importance of controlling where data is stored and processed in the age of Big Data and varied laws across the globe. “While most Big Data providers are able to provide security for the storage and transmission of sensitive data, most implementations that we see don’t provide location transparency or location-contingent data processing,” the authors write, adding, “imagine the power of users being able to choose where their data is processed or stored.” The authors suggest allowing consumers to choose the location and security level of their data and offer technical solutions to make that possible.
Full Story

PRIVACY LAW—U.S.

State AG: Federal Breach Law? No Way (October 2, 2013)
Amidst the ongoing U.S. government shutdown, representatives from state AG offices taking part in the literarily titled panel discussion “The Widening Gyre of State AGs” at this week’s IAPP Privacy Academy were asked whether there should be one all-encompassing federal data breach notification law. In this exclusive for The Privacy Advisor, Sam Pfeifle reports on their reactions. As Vermont AG William Sorrell put it, “You’d like to have this organization, the U.S. Congress—upon which, what, eight percent of Americans look favorably—you want us to say, ‘Oh, yes, we’re going to trust that body of public servants to do what’s right for our states’ citizens?’ No way."

SOCIAL NETWORKING—EU & IRELAND

Privacy Group Receives Facebook Response (October 2, 2013)

Privacy activist group Europe-v-Facebook has received responses from Facebook to complaints about the company’s privacy policy, but the Irish Data Protection Commissioner (DPC) said the group was barred from releasing them, Computerworld reports. According to the group’s website today, however, the DPC has clarified its decision and will allow the group to publish the 200-page response. The group originally filed the complaints with Facebook two years ago, claiming the social network’s privacy policies violate European data protection law. “After two years of constant battling, we finally received the ‘counterarguments’ by Facebook,” wrote Europe-v-Facebook, which now has until October 17 to comment on Facebook’s responses. The DPC will circulate a draft of its decision in the case prior to publishing its final decision.
Full Story

PRIVACY LAW—U.S.

Baker: U.S. Laws Built on “Privacy Panic” (October 2, 2013)

Was the man we might consider the “grandfather” of privacy, Louis Brandeis, in fact a “fogey,” penning his acclaimed work “The Right to Privacy” amidst a “privacy panic” brought on by the advent of inexpensive Kodak cameras over a century ago? Yes, Stewart Baker told the crowd at the IAPP Privacy Academy during his keynote address yesterday. Baker, whose career has included being the first assistant secretary for policy at the Department of Homeland Security and general counsel of the National Security Agency, described the current patchwork of U.S. privacy laws as a result of “privacy panic”—reactionary, moral panic-based lawmaking built on a small but powerful subgroup’s irrational fears of technological advances.
Full Story

PRIVACY COMMUNITY

Callahan Named Vanguard; Innovation Award Recipients Announced (October 2, 2013)

And the 2013 Privacy Vanguard Award goes to Mary Ellen Callahan, CIPP/US, former chief privacy officer of the U.S. Department of Homeland Security. Announced Tuesday evening at the annual IAPP Privacy Dinner held in conjunction with the IAPP Privacy Academy in Seattle, WA, Callahan, who is founder and current chair of Jenner & Block’s Privacy and Information Governance Practice, was praised for her visionary leadership and extensive work in consumer protection law. Also at the Privacy Dinner, this year’s HP-IAPP Privacy Innovation Awards recipients were announced. Johnson & Johnson, Canadian Primary Care Sentinel Surveillance Network and Considerati were honored for their unique programs.
Full Story

SURVEILLANCE—U.S.

Advocates Call for Open Talks, Warn NSA Weakening Cybersecurity (October 2, 2013)

A group of privacy advocates is warning that attempts by the U.S. National Security Agency (NSA) to weaken encryption for surveillance access will create mistrust in U.S.-based Internet companies around the world, PCWorld reports. Alan Davidson, a visiting scholar at the Massachusetts Institute of Technology and former Google public policy director, said for U.S. businesses, it is “terribly debilitating and undermining to have the rest of the world thinking there have been backdoors built into their systems to help the U.S. government.” The developments will also erode trust in the U.S. National Institute of Standards and Technology because of reports the standards group aided the NSA in tampering with the standards. Meanwhile, six privacy advocacy organizations are calling on the U.S. House of Representatives Privacy Working Group’s leaders to open up its meetings with tech companies to the public.
Full Story

HEALTHCARE PRIVACY—U.S.

Tiger Team Hears “Accounting for Disclosures” Testimony (October 2, 2013)

iHealthBeat reports on Monday’s hearing before the Health IT Policy Committee's Privacy and Security Tiger Team on providing patients with information about access to their healthcare data. The hearing on the “Accounting for Disclosures” policy mandated by the HITECH Act included comments from various stakeholders. Patient Privacy Rights’ Deborah Peel “recommended that regulators require health IT developers to provide open access to logs that record every instance a patient's digital health information is accessed or shared over a network,” the report states, while “doctors, insurers and software developers said such a policy is not feasible.” The committee is currently scheduled to meet October 9.
Full Story

PRIVACY LAW—U.S.

One Class-Action Dismissed; Another Dismissal Sought (October 2, 2013)

A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action, Law 360 reports. In the NebuAd-related case, U.S. District Judge Edmond E. Chang has ruled that ISP WideOpen West Finance LLC “faces no liability” under privacy laws. In the Symantec case, the company has asked a California federal judge “to toss a user's amended proposed class-action accusing the software company of concealing a data breach by hackers who stole source code, calling the user's claims vague and deliberately obtuse,” the report states. (Registration may be required to access this story.)
Full Story

CONSUMER PRIVACY—U.S.

FTC To Ramp Up Advertising Privacy Enforcement (October 1, 2013)
AdWeek profiles Federal Trade Commission (FTC) Director of Consumer Protection Jessica Rich and recent remarks she made to the advertising community in New York City. “The FTC has long had a focus on national advertising,” she said. “We’re by no means finished.” Specifically, Rich noted the agency will step up enforcement in the digital arena, including mobile advertising disclosures. “This will be an area of increased law enforcement in the coming year,” she said. In addition to the “numerous privacy concerns” in the Big Data sphere, Rich said, “The NSA and Snowden incidents have done a lot to raise awareness about the collection of consumer data,” adding, “Consumers should be able to expect basic privacy and security protections.”

PRIVACY LAW—U.S.

How California Is Shaping Privacy Law (October 1, 2013)

With news that Gov. Jerry Brown has signed into law the first Do-Not-Track (DNT) legislation in the country, it’s clear that California is once again out in front of privacy law here in the U.S. In this Privacy Tracker exclusive, the Hogan Lovells Privacy Team analyzes how California has led the way in the past, where the state is likely to head and what you need to know about the new DNT legislation and the way it’s likely to be implemented.
Full Story

SURVEILLANCE—EU & U.S.

MEPs Discuss Future of EU-U.S. Trade; Scalia Suggests Privacy Isn’t Protected (October 1, 2013)

At the fourth hearing of the Civil Liberties Committee inquiry into U.S. and EU countries surveillance of EU citizens, MEPs discussed the possibility of suspending EU-U.S. trade talks, creating international standards and the need for parliamentary oversight of surveillance activities. In a statement read aloud, whistleblower Edward Snowden said “the surveillance of whole populations … threatens to be the greatest human rights challenge of our time.” A former Microsoft executive has said he no longer carries a cellphone and only uses open-source software if he can check the underlying code. Meanwhile, at an event this week, U.S. Supreme Court Justice Antonin Scalia reportedly suggested the Fourth Amendment protects personal items, "not privacy, per se.” Meanwhile, a former NSA contractor and graphic designer has created four fonts that he claims cannot be analyzed by systems used to monitor online communications.
Full Story

PRIVACY BUSINESS—U.S.

The Choice-Sized Gap in the Market (October 1, 2013)

For many privacy pros, Big Data can mean big headaches as we grapple with issues and weigh risks. However, writes M. Jos. Capkovic, CIPP/US, in the latest installment of Privacy Perspectives, some tech entrepreneurs are capitalizing on this market uncertainty by building businesses around choice. Several innovators, he writes, “have identified a choice-sized gap in the market, and they’re ready to meet the demand.”
Full Story

SOCIAL MEDIA—U.S.

PII Disclosures, Privacy vs. Accountability Examined (October 1, 2013)

The General Services Administration Center for Excellence in Digital Government has released a memorandum on agencies’ use of social media and the dangers of posting content that contains personally identifiable information (PII). A specialist with the center, Tim Lowden, reminds agencies that they are required by Section 208 of the E-Government Act to conduct privacy impact assessments “when developing or before acquiring or using third-party sites or applications that collect PII.” Meanwhile, a Forbes report examines a recent high-profile case involving social media to question what the right balance is when it comes to protecting privacy while “promoting accountability” online.
Full Story

DATA LOSS

Amidst Myriad Breach Reports, Tips Offered (October 1, 2013)

It is shaping up to be a busy week for data breach incidents. Yahoo is facing claims its decision to recycle accounts that had been inactive for a year or more has resulted in individuals receiving e-mails intended for the previous owners, ITPro UK reports. An Ohio psychologist is notifying clients of a burglary where “the thieves may have intended on stealing patients’ personal data when they stole the office’s entire computer supply.” Patients at a Canadian health region are also receiving letters after an employee accessed “patients’ personal health information between 2009 and 2012, considered a breach under the Health Information Protection Act.” Meanwhile, Krebs on Security reports the “miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data” from the U.S. National White Collar Crime Center. Amidst all these reports, InformationWeek offers tips on the “lessons learned” from data breach incidents.
Full Story

PRIVACY BUSINESS

Experian Buys Fraud Detection Firm for $324 Million (October 1, 2013)

Reuters reports that Experian will acquire U.S.-based fraud detection group The 41st Parameter for $324 million. Experian noted it will increase its presence in the fraud prevention arena and bolster its current work in fraud detection and online authentication.
Full Story

HEALTHCARE PRIVACY—U.S.

NIH Seeks Comments on GDS (October 1, 2013)

FierceBiotechIT reports the National Institutes of Health (NIH) is calling for comments following the publication of its draft Genomic Data Sharing (GDS) policy. The GDS, which applies to all NIH-funded research, “details the need to strip all data of names, Social Security numbers and other identifiers before uploading,” the report states, noting de-identified data is then required to be coded at random to protect privacy. “All data is subject to NIH's desire for widespread sharing,” according to the report.
Full Story

PRIVACY BUSINESS—U.S.

Opinion: Gov’t Needs Office of Data Innovation (October 1, 2013)

The Information Technology and Innovation Foundation’s Daniel Castro calls for the creation of a Department of Commerce Office of Data Innovation in this feature for Smart Data Collective. Despite the extensive economic value of data, “there is still no federal government agency responsible for developing and implementing a national strategy to promote data-driven innovation across all sectors of the economy,” he writes, noting the office “would set priorities for technological research on relevant topics such as data analytics and data storage, as well as privacy and security technologies … it could recommend that the National Science Foundation prioritize research funding in areas such as data de-identification, privacy-preserving data mining, secure, multi-party authentication and interoperable digital credentials.”
Full Story