Privacy News | Daily Dashboard

Breaking news. In-depth articles. Global coverage.

Save time searching the headlines for privacy news in the media. Get the latest breaking privacy and data protection news from around the globe all in one place—The Daily Dashboard. Our FREE daily e-newsletter summarizes the day’s top privacy stories with links to the full articles—sent directly to your desktop each weekday!

Subscribe now!

Top Privacy News

PRIVACY

2013: The Year of Privacy (December 20, 2013)
As we come to the end of 2013, IAPP VP of Research and Education Omer Tene ruminates on the major developments during this tumultuous year in privacy. After the Summer of Snowden, developments in the EU general data protection regulation and more, Tene writes, “You’ve got to admit that as a privacy professional who used to get a blank look when telling an outsider what you do for a living, 2013 marks a turning point.” In this Privacy Perspectives post, Tene takes us through the year that was and how 2014 “will be even privacier.”

PRIVACY

The Year’s Top 10 Stories in The Privacy Advisor (December 20, 2013)

While this may have been the year of Edward Snowden, it’s not surprising here in the IAPP offices to see that the year’s top stories in The Privacy Advisor focused on the practical aspects of being a privacy professional. The news of the day is all well and good, but the day-to-day operation of a privacy program is an animal that always needs feeding. Hopefully, we’ve given you some tools this year to make life a little easier and make your operation run more smoothly. But there was quite a bit of news, wasn’t there? Take a look at our top 10 stories of 2013.
Full Story

PRIVACY

The Year’s Top 10 Privacy Perspectives Posts (December 20, 2013)

In the year that featured our first-ever blog—and now with Privacy Tracker we have two—we thought it appropriate to take a look back and highlight 10 of our most-read posts in 2013. From torpedoes being fired on Safe Harbor to the ABCs of BCRs to the revealing nature of a social media experiment, these posts have generated intrigue and, in some cases, thoughtful commentary from you, our readers.
Full Story

PRIVACY LAW

Merry Christmas Peter Fleischer, Wherever You Are (December 20, 2013)

While much happened this week in privacy news—the NSA’s surveillance was deemed likely unconstitutional; consent was declared dead; the data broker industry was put on notice by a U.S. senator, and the EDPS released its 2014 inventory—the news that hit home for us was that Peter Fleischer and two other Google executives were acquitted in Italy’s Supreme Court after an eight-year battle over whether they were legally responsible for content that users uploaded to Italy’s version of YouTube. Back in the day, the implications of this case were a little scary for privacy pros around the globe, and it seems now it’s finally over. Take a look at this and all the week’s developments in privacy law in this Privacy Tracker weekly roundup. (IAPP member login required.)
Full Story

PRIVACY LAW—SPAIN

Spain’s DPA Fines Google $1.2M (December 20, 2013)

Spain’s data protection authority (DPA) has fined Google $1.2 million (900,000 euros) for the illegal collection and use of consumers’ personal data, Bloomberg reports. The company is charged with “three serious violations” by the DPA for not providing details “about what data it collects, what it uses it for and without obtaining a valid consent.” Google was fined 300,000 euros for each of the three violations and is required take the “necessary measures without any delay to comply with the legal requirements.” In a statement, Google said, “We’ve engaged fully with the Spanish (authority) throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services, and we’ll continue to do so,” adding “We’ll be reading their report closely to determine next steps.”
Full Story

CYBERSECURITY—U.S.

Coalition of Internet Firms Worried About NIST Framework (December 20, 2013)

FierceGovernmentIT reports that some major Internet companies comprising the Internet Commerce Coalition say the National Institute of Standards and Technology’s proposed privacy framework would be “potentially burdensome,” therefore discouraging some organizations from adopting it. The final draft of the framework is to be released in February, and privacy is built into its requirements. The coalition says it favors a methodology developed by Hogan Lovells’ Harriet Pearson, CIPP/US, under which firms would be required to follow a more general scheme rather than the privacy appendix suggested in the framework now.
Full Story

BYOD—U.S.

Policies Gained Ground in 2013 (December 20, 2013)

Computerworld reports on a shift in the adoption of bring-your-own-device (BYOD) policies in 2013. A poll taken in January found that three of four respondents had a program in place, but two-thirds had an “anything goes” philosophy. This year, CIOs began shifting IT department cultures to embrace mobile apps in an effort to manage BYOD. “The education cycle by the vendors and analysts began to sink in,” said one expert. “Line of business managers don’t want this liability on their hands.”
Full Story

SURVEILLANCE—U.S.

Opinion: Nation Needs Reforms (December 20, 2013)

In an op-ed piece for The New York Times (NYT), members of the President’s Review Group on Intelligence and Communications Technologies, appointed in August, write that “the nation needs a package of reforms that will allow the intelligence community to continue to protect Americans, as well as our friends and allies, while at the same time affirming enduring values, involving both privacy and liberty.” The group has made 46 recommendations to President Barack Obama. Another NYT article discusses the repercussions if Obama adopts the advisory group’s most far-reaching recommendations, which may “go a long way toward determining the legacy of his presidency.” Meanwhile, author David Eggers says U.S. writers must take a stand on U.S. surveillance. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

40 Million Potentially Affected by Breach (December 19, 2013)
Target is investigating a data breach potentially affecting 40 million credit and debit cards, KrebsonSecurity reports. The breach began on or around Black Friday—the biggest shopping day of the year in the U.S.—and involves all Target locations nationwide. Target released a statement confirming the breach and indicating the accounts may have been impacted between November 27 and December 15. One analyst, who asked to remain anonymous, said, “We can’t say for sure that all stores were impacted, but we do see customers all over the U.S. that were victimized.”

PRIVACY LAW—U.S.

Can Plaintiffs’ Lawyers Fill the DPA Role? (December 19, 2013)

Recent Privacy Perspectives blog posts have discussed whether the Federal Trade Commission (FTC) and state attorneys general serve as de facto data protection authorities in the U.S. “Both sides are correct,” writes Jeff Kosseff, CIPP/US, “The FTC and state attorneys general help set the general requirements for privacy and data security, just as DPAs do in Europe.” Kosseff, a privacy and communications associate for Covington & Burling, writes, “But another group is playing a role in the shaping of U.S. privacy and not always in a way that benefits society.” In this installment of Perspectives, Kosseff points out that “the priorities of plaintiffs’ lawyers differ from those of independent government data protection authorities” and that “some have argued that class-action lawyers often lead to settlements that provide substantial attornies' fees for plaintiffs’ counsel and very little for individual class members.”
Full Story

SURVEILLANCE—U.S.

NSA Review Panel Urges Major Oversight, Some Restrictions (December 19, 2013)

A review panel of outside intelligence and legal experts on Wednesday released its report to President Barack Obama recommending increased oversight and some restrictions on the National Security Agency (NSA) surveillance programs. Among the 46 recommendations, the panel urged Obama to restructure the NSA’s metadata collection program by having telecommunications companies or a private consortium hold the data and only share it after the agency provides an approved court order “for queries and data mining.” The panel also recommended the agency halt its practice of creating “backdoors” into hardware and software as a secret way to manipulate devices and online systems. The New York Times reports Sen. Ron Wyden (D-OR) said, “This has been a big week for the cause of intelligence reform,” and the Center for Democracy and Technology’s Greg Nojeim called the report “remarkably strong.” Obama reportedly said he was “open to many” of the recommendations. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—U.S.

Analyzing the NSA Review Panel Report (December 19, 2013)

The President’s Review Group on Intelligence and Communications Technologies has released its report reviewing the government’s surveillance program in the aftermath of Edward Snowden’s disclosures. In this exclusive for The Privacy Advisor, Andrew Serwin, CIPP/US, CIPP/E, CIPP/G, offers a look at key points and recommendations laid out in the report juxtaposed with research from the Lares Institute showing Americans’ perceptions of Snowden and levels of trust in public and private entities. Whether the changes outlined in the report will occur “remain to be seen, but in any case, the report offers a starting point for continued, informed debate in this country,” Serwin writes.
Full Story

DATA TRANSFER—EU & U.S.

LIBE Committee: Suspend Safe Harbor, Create EU Cloud, Don’t Negotiate on Privacy (December 19, 2013)

A preliminary conclusion by the European Parliament’s Civil Liberties Committee (LIBE) into the surveillance of EU citizens by the U.S. National Security Agency recommends that the parliament agree to a trade deal with the U.S. only if it does not mention data protection and that Safe Harbor be suspended, according to its website. Lead MEP Claude Moraes also recommended the “swift” creation of an EU data storage cloud and judicial redress for EU citizens to protect their data in the U.S. Meanwhile, the UN General Assembly unanimously adopted a resolution calling for protecting the right to privacy against unlawful surveillance, according to the Associated Press. The resolution calls on all 193 UN member states “to respect and protect the right to privacy, including in the context of digital communication.”
Full Story

BIG DATA—U.S.

Sen. Tells Data Broker Industry They’re On Notice (December 19, 2013)

In a Senate Commerce Committee hearing on Wednesday, Sen. Jay Rockefeller (D-WV) had harsh words for the consumer data broker industry. “We have a feeling people are getting scammed or screwed,” he said. The hearing focused on the use of consumer marketing data and followed the release of Rockefeller’s report on the industry, which said that Acxiom, Epsilon and Experian were not as forthcoming with their answers to Rockefeller’s investigation as he would have liked. Rockefeller warned he may use more forceful means of getting them to share such insights, AdAge reports. Experian Senior VP of Government Affairs and Public Policy Tony Hadley defended his company’s practices and said it has safeguards to ensure bad actors do not get consumer lists. In chilling testimony, the World Privacy Forum’s Pam Dixon discussed some of the disturbing use of data, including the selling of rape victim lists, home addresses of police officers and names of those with genetic illnesses. Rockefeller said the committee will continue to shine a spotlight on the industry.
Full Story

PRIVACY COMMUNITY—GERMANY

German Parliament Elects New Federal Data Protection Commissioner (December 19, 2013)

With Peter Schaar leaving the position of German Federal Data Protection Commissioner on December 17 after 10 years of service, the coalition German government needed to nominate a replacement for confirmation in the Bundestag. On Thursday, they appointed Andrea Voßhoff, a member of the conservative-leaning Christian Democratic Union who served in the Bundestag from 1998 through 2013. Generally unknown to the privacy community, Voßhoff has received a negative initial reception from some privacy advocates: German MEP Jan Philip Albrecht strenuously objected to her nomination, saying on Twitter that her confirmation would amount to an “abolition” of the office. In this exclusive for The Privacy Advisor, Jörg Hladjk, counsel at Hunton & Williams and German-qualified attorney with a German PhD in privacy, expounds upon the three main challenges Voßhoff faces as she enters her five-year term.
Full Story

PRIVACY LAW—EU & U.S.

DPC Makes Headlines; Official Says Regulation Won’t Hurt Business (December 19, 2013)

At the IAPP’s Data Protection Congress in Brussels last week, experts discussed the forthcoming European privacy requirements, which are “almost certain to slow the current headlong rush toward massive data collection, analysis, use and sale, DataInformed reports. European Commission Director of Fundamental Rights Paul Nemitz dismissed concerns that the regulation will hurt business, saying privacy will instead become a competitive advantage. Out-Law.com quotes European Commissioner Neelie Kroes's speech, delivered at the event by Kroes' Head of Cabinet Constantijn van Oranje-Nassau, in favor of such reforms such as companies being able to process pseudonymized data without consent, and Bloomberg reports on U.S. Federal Trade Commissioner Julie Brill defending the Safe Harbor program during the DPC’s opening session.
Full Story

PRIVACY LAW—U.S.

Hulu Fights Class-Action (December 19, 2013)

Hulu has asked a federal judge to deny a class certification over allegations it violates the Video Privacy Protection Act by disclosing viewer data to Facebook and a business analytics service, reports Courthouse News Service. The lead plaintiff in the lawsuit, filed in February 2012, said Hulu repurposed its browser cache in order to store users’ private data. U.S. Magistrate Judge Laurel Beeler deferred ruling on the case last June. Hulu said the class couldn’t prove “injury” and there isn’t enough common evidence to certify a class. A summary judgment is slated for February 6.
Full Story

ONLINE PRIVACY—U.S.

Site Picks “Privacy” as Word of the Year, Tracks Users (December 19, 2013)

In a piece for The Washington Post, Ashkan Soltani and Andrea Peterson report that Dictionary.com has chosen “privacy” as its word of the year, citing, among other reasons for the pick, this year’s NSA revelations. “But it has a ring of irony due to the site’s particularly robust consumer-tracking efforts,” they write. The site places 90 cookies on visiting users’ computers and has the most “beacons”—software that can track what a user does on a given webpage—of any site studied in The Wall Street Journal’s 2010 investigation, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Yes, Consent Is Dead and Giving It a Central Role Is Dangerous (December 18, 2013)
At the just-concluded IAPP Data Protection Congress in Brussels, the audience heard a bold proposal from closing keynote Viktor Mayer-Schönberger: “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” Contemporary ideas of notice and consent, he argued, are a farce. In this installment of Privacy Perspectives, Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, explores the role of consent, noting that EU data protection law is predicated on it. “But does this approach still hold true?” he asks. “Can we—as individuals—really have a meaningful degree of control over the vast amount of information we generate?”

BIG DATA—U.S.

Senator’s Report: Data Broker Industry Under “Veil” of Secrecy (December 18, 2013)

Ahead of this afternoon’s Senate Commerce Committee hearing on data brokers, Sen. Jay Rockefeller (D-WV) released the findings of his yearlong investigation into the industry, Broadcasting & Cable reports. In October 2012, Rockefeller launched the investigation and sought information from nine of the industry’s largest data brokers about what marketing data they collect and how it is used. The report is described as more of a summary of the state of the industry than a call for regulation. In a statement, Rockefeller said, “While there are laws on the books that protect the privacy of Americans’ health and financial information, they do not cover data brokers’ marketing activities—and I want to assure these data brokers that the oversight efforts this committee has started will continue.” Hogan Lovells examined the potential impact of the GAO’s report along similar lines on Monday.
Full Story

PRIVACY LAW—U.S.

Unpacking the Klayman v. Obama Decision (December 18, 2013)

On December 16, the District Court in the District of Columbia issued an opinion finding that the National Security Agency’s (NSA) surveillance program was likely unconstitutional. In Klayman v. Obama, five plaintiffs sued a variety of government officials and private companies seeking preliminary injunctive relief based upon the assertion that the NSA program was unconstitutional and violated other statutes. In what ended up making big news, the court concluded there was a substantial likelihood the plaintiffs would prevail on their Fourth Amendment claims and issued an injunction. In this Privacy Tracker blog post, Andrew Serwin, CIPP/US, CIPP/E, CIPP/G, unpacks the court’s decision. (IAPP member login required.)
Full Story

PRIVACY EDUCATION

IAPP Offers New Suite of Web Conferences (December 18, 2013)

The IAPP has announced an integrated suite of web conferences to allow members to access far more of this valuable content while providing an opportunity for certified members to acquire up to 14 free Continuing Privacy Education hours in 2014. This feature for The Privacy Advisor details the full schedule of programs, which includes the Insight Series, Access Series and Innovation Series. We hope you will take advantage of these new opportunities for education to help you with your day-to-day operations and to further augment the body of knowledge developed through CIPP or CIPM certification.
Full Story

INTERNET OF THINGS—U.S.

Study: People Willing To Exchange Privacy for Cost Savings (December 18, 2013)

A new survey indicates just how much privacy people are willing to trade in exchange for monetary benefits. The Intel and Penn Schoen Berland survey, which polled people in eight countries, found that 70 percent would be willing to share data from a “smart toilet” if it meant lower healthcare costs, and 84 percent would be willing to share vital statistics such as blood pressure or lab tests, The Wire reports. The survey also found 75 percent would be willing to share data obtained via a health monitor they could swallow.
Full Story

SURVEILLANCE—U.S.

Tech Giants Meet with Obama, Talk NSA (December 18, 2013)

The New York Times reports on a high-level meeting Tuesday between President Barack Obama and chief executives from 15 of the country’s largest technology companies to discuss, in part, National Security Agency (NSA) surveillance programs. In a post-meeting statement, the executives said they urged Obama “to move aggressively on reform…” They also raised concerns that foreign countries, such as Brazil, may prevent user data from flowing to the U.S., which could hurt the executives’ businesses as well as the U.S.’s start-up economy. Though the White House made no commitments, it reportedly expressed sympathy with the web companies’ call for more transparency about government requests for user data, and it told the executives that government action to reform NSA surveillance would happen in the new year, the report states. Meanwhile, Bloomberg reports Monday’s ruling on the NSA could move to the Supreme Court. (Registration may be required to access this story.)
Full Story

SMART GRID—U.S.

Consumers Warming Up to Smart Meters (December 18, 2013)

Consumers’ fears over smart meters are beginning to dissipate, FierceSmartGrid reports. That’s according to a survey by Navigant Research, which found the percentage of customers who have “favorable” or “very favorable” attitudes toward smart meters has increased from about 37 percent in 2010 to about 43 percent in 2013. While the numbers are improving, “utilities still have some distance to go in building majority support for these technologies.”
Full Story

PRIVACY COMMUNITY—U.S.

Kerry To Work on Privacy, Big Data at MIT (December 18, 2013)

Cameron Kerry, former acting secretary and general counsel of the Department of Commerce, will join the MIT Media Lab as a visiting scholar, MIT News reports. Kerry will work with Prof. Alex “Sandy” Pentland and the Human Dynamics research group on topics related to privacy and personal data ownership as well as on Pentland’s Big Data for Public Good research initiative, the report states. Pentland said Kerry will be “instrumental in bringing together key players, including governments, multilateral organizations and multinational corporations.”
Full Story

PRIVACY LAW—ITALY

Supreme Court Acquits Google Execs in Privacy Case (December 18, 2013)

According to his personal blog, Google Global Privacy Counsel Peter Fleischer and two additional “Googlers” have been acquitted by the Italian Supreme Court of violating Italian privacy law. In 2010, an Italian court convicted the three employees for failing to comply with Italian privacy code in the case of a disparaging video of a young person that appeared online. “An eight-year legal saga has now come to an end,” wrote Fleischer, adding, “And although I have never met him, I hope that young man who was humiliated in the video that generated this case lives with dignity and happiness.” Fleischer also said the Supreme Court “will issue its written opinion in due course.”
Full Story

PRIVACY LAW—U.S.

Federal Judge Rules NSA Program Likely Unconstitutional (December 17, 2013)
A federal judge has ruled that the U.S. National Security Agency’s phone metadata collection program is likely unconstitutional, Politico reports. U.S. District Court Judge Richard Leon, an appointee of former President George W. Bush, said the program appears to violate the Fourth Amendment and the Justice Department has not successfully demonstrated that the program has thwarted terrorism. This roundup for The Privacy Advisor looks into the ruling and gathers together media reactions.

SURVEILLANCE—EU & U.S.

Brawling Over Government Access: “Have You Been NSA’d?” (December 17, 2013)

The most fiery discussion at the IAPP Data Protection Congress in Brussels last week came during its final session, with IAPP VP of Research and Education Omer Tene doing his best to referee a conversation between former NSA General Counsel Stewart Baker, anonymous Internet platform Tor’s Jacob Appelbaum, Vodafone CPO Stephen Deadman and Ralf Bendrath, policy advisor to German MEP and Data Protection Regulation Rapporteur Jan Philipp Albrecht. In this exclusive for The Privacy Advisor, Publications Director Sam Pfeifle details some of the highlights from the session, “Have You Been NSA’d? Government Access and the New EU Regulation,” and provides full audio of the discussion.
Full Story

PERSONAL PRIVACY

The Privacy Implications of Data-Driven Dating (December 17, 2013)

“When we talk about Big Data, we mostly refer to large-scale conglomerations of information about our collective behavior, aggregated by governments and big corporations,” writes Karen Levy of Princeton University. “But there’s another way data have become big: Our interpersonal connections are being infiltrated by data to an unprecedented degree, changing how we relate to one another,” she adds. This post for Privacy Perspectives looks into the range of apps and technology that allow individuals to gather, interpret and deploy data and not only be “passive data points about whom data is collected and aggregated.”
Full Story

PRIVACY COMMUNITY

Ten Years and Two Terms Later, a Look at Peter Hustinx’s Legacy (December 17, 2013)

European Data Protection Supervisor (EDPS) Peter Hustinx’s second five-year term ends this month, and a new leader will soon be appointed. It is worth taking time to note that those who live and breathe European data protection nearly universally agree Hustinx leaves behind both a sterling reputation and an agency that’s evolved into an influential and highly respected supervisory authority since its establishment in 2004. In this exclusive for The Privacy Advisor, Angelique Carson, CIPP/US, speaks with Willem Debeuckelaere, Chris Doxsey, Dimitrios Droutsas, Sophie in ‘t Veld, Billy Hawkes and Christopher Wolf about the legacy Hustinx leaves behind and the shoes his successor will have to fill.
Full Story

PRIVACY—U.S.

Instagram Rolls Out Nuanced Photo-Sharing (December 17, 2013)

The New York Times reports on Instagram Direct, a new messaging service that allows users to document granular parts of their day to clusters of friends. As our “notions of privacy are constantly evolving and, in many cases, being eroded altogether,” we are “learning how to cope by adapting ourselves and our sharing behaviors by deciding which version of ourselves to present based on the number of people who will be able to see it,” the report states, suggesting the new service seems to respond to that adaptation. (Registration may be required to access this story.)
Full Story

DATA LOSS—U.S.

State Employee Downloaded SSNs to Personal Computer (December 17, 2013)

Despite a warning on computer security, a state employee who resigned last week says he downloaded data on 6,300 teachers so he could work from home, The Tennessean reports. The 24-year-old former Tennessee Department of Treasury worker told authorities he e-mailed data from a state computer system with a personal account. He uploaded a Tennessee Consolidated Retirement System file containing Social Security numbers on active teachers, violating the treasury’s privacy policy. The man has not been charged with a crime, but all affected teachers have been notified.
Full Story

HEALTHCARE PRIVACY—U.S.

Recruiters Mining Medical Data To Target Subjects (December 17, 2013)

The Wall Street Journal reports on healthcare companies’ probes of readily available information from data brokers, pharmacies and social networks in order to recruit patients for clinical trials. Blue Chip Marketing Worldwide, for example, found patients to experiment with an obesity drug by targeting people who presumably live sedentary lifestyles, such as those who subscribe to premium cable TV or eat at fast-food chains frequently, the report states. “We are now at a point where, based on your credit-card history … we can get a very, very close read on whether or not you have the disease we’re looking at,” said a spokesman from one pharmaceutical product development company. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Will GAO Report Spur Action from Congress? (December 16, 2013)
Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, "Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace." The report recommends that Congress "consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information." Rockefeller is expected shortly to issue his own report on the topic, and the Federal Trade Commission is also preparing a report expected in early 2014. In this exclusive for Privacy Tracker, the Hogan Lovells privacy team looks at what the GAO examined, and, in the short term, how Congress might respond to the GAO’s findings and, when they are published, Rockefeller’s. Are stronger consumer privacy protections on the way?

MOBILE PRIVACY—U.S.

Study: Smartphone Users Will Pay More for Privacy (December 16, 2013)

A study by University of Colorado Profs. Donald Waldman and Scott Savage has found “average smartphone users are willing to pay a few dollars for mobile apps that maintain privacy,” Daily Camera reports. The team surveyed 1,726 people from seven U.S. cities, finding “consumers are willing to pay $4.05 to conceal contact lists, $3.58 to conceal the contents of text messages, $2.28 to shield browser history, $1.75 to block the phone's ID number and $1.19 to conceal personal locations,” the report states. “We wanted to put a number out there,” Savage said. “Instead of saying what you feel or anecdotally thinking privacy is important, let's put a number on it. Then people can have a real discussion."
Full Story

PRIVACY ART

The Privacy Messages Sent Through Art (December 16, 2013)

Last year, approximately 4.7 million passwords were stolen from LinkedIn and leaked online. To many, it was a concerning development, but for one person, the event provided an opportunity to make art. Conceptual artist Aram Bartholl has unveiled “Forgot Your Password,” an exhibit featuring eight books containing all the passwords arranged in alphabetical order, now on display in Germany. This is just one of countless artistic creations riffing on privacy in the modern world. This Privacy Perspectives post looks into a variety of artistic expressions of privacy, including a look at the IAPP’s Art Gallery.
Full Story

PRIVACY LAW

U.S. and French Laws, EU Retention Directive Under Fire (December 16, 2013)

France is receiving criticism for a new law expanding government agencies’ access to Internet data; a European Court of Justice advocate has deemed the retention directive in violation of citizens’ fundamental privacy rights, and in the U.S., a petition to update the Electronic Communications Privacy Act has received more than 100,000 signatures. This week, Privacy Tracker reports on these developments as well as new administrative measures for Chinese credit reference agencies, U.S. states’ challenges to NSA surveillance and new fining powers for the Dutch data protection authority. (IAPP member login required.)
Full Story

MOBILE PRIVACY—UK & U.S.

Removal of Privacy Feature Criticized; UK High Court To Rule on Google Case (December 16, 2013)

The Electronic Frontier Foundation (EFF) has criticized Google’s removal of a privacy feature in a new Android 4.4.2 update, Computerworld UK reports. App Ops was a feature that gave users granular control over app permissions—a feature that privacy groups have long advocated for, the report states. The EFF’s Peter Eckersley said the app’s removal is “alarming news.” He also said he was told by Google that the feature was not yet supposed to be released as it could break some apps. Meanwhile, representatives of Google are expected to argue in the UK’s High Court that a case against the company for ignoring Safari users’ requests to not have cookies placed on their devices should be dropped. A Google spokesman said, “We’re asking the court to reexamine whether this case meets the standards required in the UK for a case such as this to go to trial.”
Full Story

TRAVELERS’ PRIVACY—U.S.

Customized Airfare Packages Raise Privacy Concerns (December 16, 2013)

Industry reports that airlines are looking to roll out customized airfare packages for consumers based on collected data that could include income, home location and travel patterns. They are raising privacy concerns among some consumer advocates and have received the attention of the U.S. Department of Transportation (DoT), Los Angeles Times reports. A spokeswoman for Airlines for America said, “We expect to see more airlines adopt this trend in commerce as they continue to offer passengers a more personalized travel experience.” However, Consumer Travel Alliance’s Charles Leocha said, “It will be the death of comparison shopping.” The DoT is scheduled to meet on Monday to discuss airfare pricing and could recommend federal legislation requiring airlines to disclose what data they’ve collected on travelers, the report states.
Full Story

ONLINE PRIVACY

Bilton: “Anyone Who Can Watch You Will” (December 16, 2013)

In a feature for The New York Times, Nick Bilton writes that amidst reports of online tracking, “outfits like Snapchat have exploded onto the scene … holding out the promise that all those selfies, texts and e-mails will simply vanish … But the fact is, many services that claim to offer that rarest of digital commodities—privacy—don’t really deliver.” Princeton Prof. Edward Felten weighs in, cautioning, “Just because information is unavailable to you and you don’t see it doesn’t mean that it is not being captured, stored or even seen by someone else in transit.” The ACLU’s Ben Wizner suggests “change can happen” if “technologists that are disillusioned by the incessant tracking will use their skills to make surveillance more costly.” (Registration may be required to access this story.)
Full Story

EMPLOYEE PRIVACY—FRANCE

IKEA Spying Allegations Shock Nation (December 16, 2013)

The New York Times reports on the range of internal and personal investigations generated by IKEA’s France-based stores. A regional court in France is now looking into whether company executives in France violated national law by ordering personal investigations of hundreds of individuals over a 10-year span. Investigations were conducted by the company for several reasons, including job applicant background checks, cases against employees accused of wrongdoing and ways to counter consumer complaints brought against the company in courts, and, according to the report, IKEA France approved more than 475,000 euros for the hiring of private investigators. A lawyer representing one plaintiff in the case said, “It is hard to conceive that this kind of thing happens in a democratic society like France … This is not Soviet Russia.” (Registration may be required to access this story.)
Full Story
 

SURVEILLANCE—U.S.

Boston PD Suspend License-Plate Reader Use (December 16, 2013)

The Boston Police Department “has indefinitely suspended” its use of license-plate readers to check for motor vehicle violations in light of privacy concerns, The Boston Globe reports. “The police inadvertently released to the Globe the license plate numbers of more than 68,000 vehicles that had tripped alarms on automated license-plate readers over a six-month period,” the report states, noting that release “triggered immediate doubts about whether the police could reliably protect the sensitive data.” Spokeswoman Cheryl Fiandaca said the department suspended the program while Commissioner William Evans reviews it “so he knows that it’s being used effectively and that it doesn’t invade anyone’s privacy.”
Full Story

PRIVACY ENFORCEMENT—U.S.

How the FTC Isn’t the Only U.S. DPA on the Block (December 13, 2013)
“The U.S. Federal Trade Commission (FTC) has understandably been the focus of much attention in the data privacy world” and has even been called the “U.S.’s de facto Data Protection Authority,” write Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US. “We respectfully disagree,” they add. In this Privacy Perspectives installment, Smoyer, a Dickstein Shapiro partner, and Lancaster, a Dickstein Shapiro counsel, make the argument that the FTC faces “unprecedented challenges, while state attorneys general, who have similar—and in some instances greater—authority, are taking more and more steps to protect the privacy of their citizens.”

DATA PROTECTION

The EU and APEC: A Roadmap for Global Interoperability? (December 13, 2013)

The steady stream of media reports on the privacy differences between the EU and the U.S. would have you believe that cross-border data sharing is nothing but storm clouds over the Atlantic. There is, however, a bright spot for cross-border information flows if we turn our attention to the Pacific. In this exclusive for The Privacy Advisor, John Kropf, CIPP/US, CIPP/G, and Malcom Crompton, CIPP/US, look at data transfers in the APEC region, suggesting other regions take heed.
Full Story

SURVEILLANCE—U.S.

Obama Panel Urging Some NSA Curbs (December 13, 2013)

The New York Times reports on the conclusions of President Barack Obama’s surveillance review panel. According to the panel’s report, the National Security Agency (NSA) program collecting U.S. phone call data should continue but only under “broad new restraints” to increase privacy protections. The panel also allegedly concluded that the U.S. should codify and publicly announce the steps it’s taking to protect the privacy of foreign citizens whose phone and Internet data is collected by the NSA and create “an organization of legal advocates” to argue against government lawyers before the Foreign Intelligence Surveillance Court. Resistance to the conclusions from the NSA and others is expected, the report states. Meanwhile, Verizon Communications has taken a stance against a shareholder resolution that would require more transparency about what user data it shares with the government. AT&T recently resisted a similar shareholder resolution as well. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—U.S.

The Impact of New Payment Card Industry Standards on Business (December 13, 2013)

Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS) has been released by the PCI Security Standards Council. The security requirements are intended to strengthen the security of cardholder data and encourage the adoption of uniform data security standards within the payment card industry. PCI-DSS applies to all entities that are involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers as well as entities that store, process and transmit cardholder data. In this exclusive for The Privacy Advisor, Rebecca Shwayri examines the new requirements, compares them to the last version and predicts areas where they may be updated in the future.
Full Story

PRIVACY LAW—U.S.

Petition Acquires Enough Signatures To Require White House Response (December 13, 2013)

The Hill reports on a petition on the White House website calling for an update to the Electronic Communications Privacy Act (ECPA) to require police to obtain a warrant before accessing online communications. The petition reached 100,000 signatures by its December 12 deadline, meaning it requires an office response from the White House. The Justice Department said earlier this year that updating ECPA has “considerable merit” but recommended civil regulatory investigations be exempted from the warrant requirement because regulators don’t have access to the warrant power.
Full Story

STUDENT PRIVACY—U.S.

Study: Schools Increasingly Outsourcing Student-Data Collection, Neglecting Safety (December 13, 2013)

Public schools are using web-based services to collect and analyze personal details about students but aren’t providing the necessary safeguards. That’s according to a new study to be released today by the Center on Law and Information Policy at Fordham Law School, The New York Times reports. The study looked at the contracts school districts sign to outsource such analytics. Many of the contracts “failed to list the type of information collected” and others “did not prohibit vendors from selling personal details—like names, contact information or health status—or using that information for marketing purposes,” the report states. Meanwhile, EPIC has filed a complaint with the FTC aimed at protecting student data. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Google To Cache All Gmail Images, To Some Confusion (December 13, 2013)

Google announced it will now cache all e-mail images by default to improve user experience and security as well as load-speed. The move has apparently caused a little confusion as to whether it affects user privacy. Ars Technica initially reported that e-mail marketers will no longer be able to receive information directly from Gmail users. ClickZ lists the six data points collected by marketers from e-mail display images. Ron Amadeo of Ars Technica wrote, “While this means improved privacy from e-mail marketers, Google will now be digging deeper than ever into your e-mails and literally modifying the contents.” However, Wired reports the move will make it easier for senders to know if an e-mail has been opened. According to an updated Ars Technica report, senders who embed a code into the e-mail will know more about which ones are viewed. MailChimp has also blogged about the changes and what they mean for users.
Full Story

BIG DATA

At DPC: Out with Notice and Consent, In with Data Use Regulation (December 12, 2013)
While there are few privacy principles more generally ingrained than that of notice and choice, Viktor Mayer-Schönberger suggests, “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” During his IAPP Europe Data Protection Congress keynote, Mayer-Schönberger called for “a new protection mechanism. A paradigm adjustment to ensure privacy in the age of Big Data” rather than giving up on privacy. “It’s not that the data is problematic,” he said, “but how it’s being used, especially in the context of complex data analysis.” This exclusive for The Privacy Advisor examines this idea of holding users accountable, whether they have persuaded a consumer to provide consent by clicking a button or not.

BEHAVIORAL TARGETING—U.S.

AT&T Offers Discount To Users Willing To Be Tracked (December 12, 2013)

AT&T has recently rolled out plans to offer high-speed Internet, including a 30-percent discount for users willing to be tracked, Forbes reports. AT&T’s Fletcher Cook said, “With AT&T Internet Preferences, you allow us to use your web browsing activity … to provide you with more relevant offers and advertising.” Cook also said the company will not sell personal information. Those choosing not to take the discount will not get targeted ads but will still have data about them tracked. “We keep your personal information only as long as needed for business, tax or legal purposes,” he said, adding, “For those that don’t (opt-in), information is safeguarded the same way.”
Full Story

PRIVACY RESOURCES—U.S.

Social Media Guidance for Financial Institutions (December 12, 2013)

After taking into account comments received during the first few months of this year, the Federal Financial Institutions Examination Council (FFIEC) has issued its final guidance “to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with the use of social media.” FFIEC says that financial institutions should have risk management programs including policies and procedures to “identify, measure, monitor and control” the use of social media and risks related to it. The guidance also recommends institutions provide guidance and training for employees as well as oversight, audit and compliance functions.
Read Guidance

PRIVACY LAW—THE NETHERLANDS

New Fining Powers Expected in 2015 (December 12, 2013)

Dutch Data Protection Authority Chairman Jacob Kohnstamm told the audience of the National Data Protection and Privacy Conference in Rotterdam on December 4 that his office will get the power to fine organizations in both the public- and the private-sector for violations of the Dutch Personal Data Protection Act. In this exclusive for The Privacy Advisor, Jeroen Terstegge, CIPP/US, examines what to expect as the Council of State advises on the new fining powers likely to come into force only on January 1, 2015.
Full Story

PRIVACY COMMUNITY—U.S.

O’Connor Named CDT’s President and CEO (December 12, 2013)

The Center for Democracy and Technology (CDT) has announced former IAPP Board Chair Nuala O’Connor, CIPP/US, CIPP/G, will head the organization. Leslie Harris, CDT president since 2005, announced in July she would resign from the post. O’Connor comes to the CDT from Amazon, where she’s worked as associate general counsel on privacy and data protection. Prior to that, O’Connor worked as chief privacy officer at the U.S. Department of Commerce and later the Department of Homeland Security before settling in at General Electric as chief privacy leader and senior counsel. She told The Privacy Advisor she’ll lean on her past government experience in her new role and looks forward to tackling such issues as surveillance and online decision-making.
Full Story

CLOUD COMPUTING

Snowden Leaks “Gumming Up” Cloud Industry (December 12, 2013)

Hightail CEO Brad Garlinghouse has said that the recent Edward Snowden revelations about government surveillance are “gumming up” the cloud computing industry, CNET News reports. Hightail offers businesses cloud storage and document tracking services, but new difficulties have shaken the cloud business, he said. “The Snowden effect has extended the sales cycle for non-U.S. companies looking at doing business with U.S. companies,” Garlinghouse said, adding, “There are more questions about data security, encryption and (security) key management.”
Full Story

PRIVACY LAW—EU

DPAs Say They Aren’t Ready for Reg (December 12, 2013)

While European data protection authorities say they aren’t ready for the proposed data protection regulation, multinationals such as Facebook and Google are tasked with untangling 28 different legal frameworks in the EU in order to address the issue, PCWorld reports. Irish Data Protection Commissioner Billy Hawkes says, under the proposed regulation, he would no longer be able to take complaints from Irish citizens about companies that are headquartered in other member states. Instead, Hawkes would be responsible for regulating the multinationals headquartered in Ireland, and therefore would be required to respond to the complaint of any EU citizen. Meanwhile, European Commission Vice President Viviane Reding has expressed frustration with the head of the EU Council’s legal service after he issued an opinion on the proposed rules.
Full Story

PRIVACY LAW—U.S.

Groups Want Anonymized Phone Records Protected (December 12, 2013)

In a petition filed with the Federal Communications Commission (FCC), privacy advocates have asked that even “anonymized” phone records be protected under the Communications Act, PCWorld reports. Section 222 of the act requires phone carriers to get customer consent before sharing data. The petitioners want the FCC “to issue a declaratory ruling that non-aggregate call records, purged of personal identifiers but with customers’ individual characteristics intact, are protected as ‘individually identifiable CPNI (customer proprietary network information)’ and phone carriers … must not sell the records without customers’ consent,” the report states. The petitioners allege AT&T violated the act by selling phone records to the Central Intelligence Agency.
Full Story

PERSONAL PRIVACY—U.S.

Opinion: The Poor Deserve Privacy, Too (December 12, 2013)

In a column for Slate, Seeta Gangadharan and Aleta Sprague report on welfare programs and the amount of sensitive data collected on recipients. The massive amounts of data are stored in potentially unsecure databases for varying amounts of time and sometimes lack permissions controls for case workers, the report states. “Poor people in the welfare system don’t have privacy,” the authors write, “and they don’t factor into broader debates on protecting individuals’ liberty and right to be left alone.” One solution, the authors suggest, is to collect less data on recipients, thereby making the system more efficient and mitigating the potential risk of data loss.
Full Story

Keynote: Forget Notice and Choice, Let’s Regulate Use (December 12, 2013)
There are few privacy principles more generally ingrained than the ideas of notice and choice for consumers. However, said Viktor Mayer-Schönberger from the IAPP Data Protection Congress keynote stage, “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” He suggests that rather than giving up on privacy, “what we need is a new protection mechanism. A paradigm adjustment to ensure privacy in the age of Big Data.”

DATA TRANSFER—EU & U.S.

EU, U.S. Officials Indicate Potential Privacy Agreement at DPC (December 11, 2013)
The keynote stage here at the IAPP Data Protection Congress in Brussels became a diplomatic back-and -forth this morning as Constantijn van Oranje-Nassau, Head of Cabinet of Vice-President of the European Commission, Commissioner for the Digital Agenda Neelie Kroes, first delivered the European Commission’s view of data protection and then was followed by an address from U.S. Federal Trade Commissioner Julie Brill. Both emphasized the need to encourage innovation while protecting privacy and addressed whistleblower Edward Snowden’s revelations about the activities of U.S. National Security Agency and other intelligence agencies. Reading between the lines, writes Publications Director Sam Pfeifle in this report from the event for The Privacy Advisor, there were reasons to be encouraged that Safe Harbor and the free flow of data between continents will continue.

PRIVACY—U.S.

Getting to Simpler, More Consumer-Friendly Privacy Policies (December 11, 2013)

Prior to stepping down from the Federal Trade Commission, David Vladeck “frequently railed against the current generation of consumer-facing privacy policies” as it becomes clear that consumers just don’t read or understand them. And there is data to back him up, notes GMAC Chief Privacy Official Allen Brandt, CIPP/US, CIPP/E, CIPM. This Privacy Perspectives post looks into several examples of creative ways companies are conveying their privacy policies to consumers, including how GMAC recently converted its entire consumer-facing privacy policy into a series of one-minute videos.
Full Story

GEO PRIVACY

Twitter Partnership Aims To Bolster Location Services (December 11, 2013)

According to MediaPost News, Twitter has reached a multi-year licensing agreement with Pitney Bowes in order to tap into its location data for mobile services. Twitter will use Pitney Bowes’ Location Intelligence to bolster location-sharing and possibly improve ad targeting, tweets and map locations. The technology can help combine “location data for tweets with buying patterns, behaviors, preferences and influencers,” the report states, as well as cross-reference tweets with nearby retailers and users.
Full Story

SURVEILLANCE

NSA Uses Ad-Tracking Tech To Locate Targets (December 11, 2013)

The Washington Post reports on leaked U.S. National Security Agency (NSA) slides that reveal the agency is “piggybacking” on tools used by Internet advertisers to locate potential targets for government hacking and surveillance. According to documents leaked by Edward Snowden, the NSA and the UK’s GCHQ use cookies to identify individuals. Specifically, they have used Google’s PREF cookies, which generally do not contain personal information but do include users’ e-mail addresses and numeric codes to identify their browsers, the report states. Additionally, the documents reveal that the NSA is using commercially collected data to help it locate mobile devices around the world. UC Berkeley Law Prof. Chris Hoofnagle said, “On a macro level, ‘we need to track everyone everywhere for advertising’ translates into ‘the government being able to track everyone everywhere’ … It’s hard to avoid.” (Registration may be required to access this story.)
Full Story

PRIVACY COMMUNITY

Looking for Love? Try a Privacy Conference (December 11, 2013)

It was winter of 2011, and Rob Gratchner just had to get to the IAPP's Data Protection Congress. His then-girlfriend, now Amanda Gratchner, was attending, and where better to ask her to marry him? But there was a hiccup. A big one. The Paris event was sold out. Despite his pleas to the powers that be at the IAPP, he couldn't get in. "I went to Paris by myself," Amanda says with a bit of a playful tone. But two months later, in Seattle, WA, at the spot where they first kissed, Rob proposed. In this feature, IAPP Associate Editor Angelique Carson, CIPP/US, talks with three couples who found their work in the privacy field—and their spouses, too.
Full Story

DATA LOSS—SWEDEN & U.S.

Breaches Affect Health Providers, College System and Discussion Forum (December 11, 2013)

Horizon Blue Cross Blue Shield is notifying nearly 840,000 subscribers that their personal information may have been affected by a stolen laptop, NJ.com reports. While the laptops were password-protected, the data was unencrypted. The information contained may have included names, addresses, dates of birth and Social Security numbers. Meanwhile, Kaiser Permanente has reported a privacy breach at its Anaheim Medical Center to 49,000 patients. A breach at a community college in Arizona may cost $14 million. And a Swedish daily newspaper says it has uncovered the identity of hundreds who left comments on Disqus websites. The company says its network has not been breached, however, and the publication breached privacy policies to gain the information.
Full Story

SURVEILLANCE—U.S.

Opinion: Privacy Rules Must Not Be Ambiguous (December 11, 2013)

Following an open letter to President Barack Obama in which U.S. tech firms said there’s an “urgent need to reform government surveillance practices worldwide,” David Lazarus opines for Los Angeles Times that there should not be ambiguity when it comes to privacy rules. Lawmakers “need to establish clear national guidelines for privacy” just as the European Union has done, Lazarus writes. “Privacy is too important to be left to businesses and spy agencies. We need someone watching the watchers.”
Full Story

DATA PROTECTION—EU

Live from DPC: Top Audit Failure Points May Not Be What You’d Expect (December 10, 2013)
Would you be able to guess the top six failure points found in the last 20 privacy audits conducted by London’s Osborne Clarke? At the IAPP Europe Data Protection Congress, that is exactly what attendees were tasked with doing in a Family Feud/Family Fortunes-style challenge of determining just what the “Survey says.” In this exclusive for The Privacy Advisor, Publications Director Sam Pfeifle details the top failure points highlighted during the “Audit Programmes” session. Some of the results were not what attendees were expecting—with such factors as “excessive access to data” and “inadequate data breach plans” not making the top-six list.

PERSONAL PRIVACY

World’s Leading Writers Demand “Digital Bill of Rights” (December 10, 2013)

More than 500 of the world’s top writers have banded together to condemn the scale of government surveillance around the globe, The Guardian reports. The signatories, including five Nobel Prize winners and authors from 81 different nations, are urging the United Nations to create an international, digital bill of rights. The move comes just a day after eight of the globe’s largest tech companies called for limits to state surveillance. The recent revelations about the extent to which governments spy on individuals has undermined the human right to “remain unobserved and unmolested … This human right has been rendered null and void through abuse of technological developments by states and corporations for mass surveillance purposes,” the statement says. “A person under surveillance is no longer free; a society under surveillance is no longer a democracy,” it adds.
Full Story

PRIVACY

Ten Steps to a Quality Privacy Program, Part Five: Building an Audit Plan (December 10, 2013)

In part five of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, explores building an audit plan, which she says is essential. A few basic steps can help you to prepare and simplify the process, she says. "Writing down all of the details will solidify your plan. You may not be audited right away, and people tend to forget everything that you have told them and panic when they hear the word 'audit.' Having this information written down will help keep everyone focused and moving the same direction," she writes.
Full Story

GEO PRIVACY

AVG Unveils WiFi Do-Not-Track App for Mobile (December 10, 2013)

With an influx of in-store mobile WiFi tracking, AVG Technologies has developed and rolled out a free smartphone app designed to block WiFi location tracking, Forbes reports. The new “DNT” feature is an add-on to AVG’s PrivacyFix app for Android. When downloaded, the technology prevents the mobile device from transmitting its MAC address. AVG Vice President of Privacy Products Jim Brock said that until retailers adopt “meaningful standards,” including transparency, or provide consumers with an opt-out mechanism, “consumers are better off shutting out this kind of tracking.” In October, Daily Dashboard reported on an initiative by the Wireless Registry and the Future of Privacy Forum to offer a brick-and-mortar Do-Not-Track registry for MAC addresses.
Full Story

SURVEILLANCE

U.S., UK Agencies Infiltrate Online Gaming (December 10, 2013)

The Guardian reports on new leaks from Edward Snowden revealing that the U.S. National Security Agency and the UK’s GCHQ have infiltrated large online gaming communities to gather intelligence on possible terrorist activity. According to the documents, the agencies possess massive data-collection capabilities within the Xbox Live console network—a gaming community with approximately 48 million users. Documents also reveal that if done correctly, spying within the networks could produce intelligence on users’ social networking, target identifiers such as profile photos, geolocation, biometrics and other communications. Makers of the game World of Warcraft said they “are unaware of any surveillance taking place … If it was, it would have been done without our knowledge or permission.”
Full Story

PRIVACY LAW—U.S.

GINA: Complying With this Camouflaged Privacy Law (December 10, 2013)

The Genetic Information Non-Discrimination Act of 2008 (GINA) regulates employers’ collection, use, safeguarding and disclosure of “genetic information,” making it a privacy statute, writes Philip Gordon for the Privacy Tracker—and one with which it is becoming increasingly difficult to comply. Social media posts celebrating a family member’s cancer remission or a son’s trip to the ER for asthma contain “genetic information” in the eyes of GINA, Gordon writes, adding, “Recent (Equal Employment Opportunity Commission) enforcement actions and private class-action filings as well as the increasing prevalence of personal social media in the workplace highlight the need for organizations to address, or revisit, their compliance with GINA.” Find out more about the EEOC’s implementing regulations and how to mitigate risk in your organization. (IAPP member login required.)
Full Story

PRIVACY COMMUNITY—NEW ZEALAND

John Edwards Is New Privacy Commissioner (December 10, 2013)

Wellington-based lawyer John Edwards has been named New Zealand’s new privacy commissioner, succeeding Marie Shroff, who served as the nation’s data protection authority for the past 10 years, reports The New Zealand Herald. As barrister and solicitor, Edwards has been practicing public law and policy for more than 20 years. Justice Minister Judith Collins said, “Mr. Edwards’ public- and private-sector experience give him a highly informed perspective on data privacy and data matching issues,” adding, “He is an acknowledged privacy expert and has a broad, practical understanding of the Privacy Act.” Shroff said the role of privacy commissioner has become increasingly demanding, the report states. Edwards will take up the new position in February.
Full Story

PRIVACY LAW—U.S.

LinkedIn Seeks Class-Action Dismissal (December 10, 2013)

SC Magazine reports LinkedIn is asking a federal judge “to toss out a class-action suit that claims the social networking company hacks into users' accounts for promotional use.” In an argument filed Friday in a California federal court, the company asserted the suit is “meritless,” contending LinkedIn members “consent to the site's terms, which allow LinkedIn to send invitations to their contacts,” the report states. The company has also suggested the suit’s four plaintiffs should have been aware, as “any ‘reasonably prudent Internet user’ would have realized the permissions they were granting to the company after going through the various permission screens for the ‘Add Connections’ feature.”
Full Story

SURVEILLANCE

Tech Giants Urge Global Surveillance Reform (December 9, 2013)
A group of top technology companies has presented a plan and published an open letter to U.S. President Barack Obama and members of Congress urging global government surveillance reform. Aol, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo together have rolled out the website reformgovernmentsurveillance.com to express their collected belief “that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.” This exclusive for The Privacy Advisor looks at the five principles presented by the group and rounds up the latest coverage of this issue as well as reports on increased local law enforcement requests of cellphone data.

PRIVACY LAW

Regulators Across the Globe Taking Action (December 9, 2013)

From the U.S. Federal Trade Commission (FTC) to the Dutch Data Protection Authority (DPA), regulators are asserting themselves in consumer privacy issues. This Privacy Tracker weekly legislative roundup offers information on the FTC’s settlement with a flashlight app developer, as well as its plans for the upcoming year, and the Dutch DPA’s findings in its investigation of Google’s privacy policy. Meanwhile, the UK Information Commissioner’s Office announced that pending new pan-Europe legislation will result in significant budget losses, causing it to restructure; some are calling U.S. state attorneys general the most important privacy regulators in the country, and BC Information and Privacy Commissioner Elizabeth Denham is recommending the government amend the Freedom of Information and Protection of Privacy Act. (IAPP member login required.)
Full Story

DATA PROTECTION—EU

One-Stop-Shop Principle Delays Progress on Reg (December 9, 2013)

The proposed EU Data Protection Regulation suffered a setback last week when data protection authorities tried to reach agreement, indicating the update to current law will likely not occur until after European Parliament elections next year, EU Observer reports. An EU diplomat said the delay is due to concerns by Germany’s data protection authority that the one-stop-shop principle would enact weaker rules than the country currently has in place. “Harmonization, yes, but not at any price,” said a spokesman for Germany’s secretary of state in the federal ministry of the interior. Meanwhile, the head of the legal service for the European Council said the one-stop-shop rule would undermine human rights.
Full Story

PRIVACY LAW—U.S.

Court To Hear California DNA Law Arguments Today (December 9, 2013)

The Associated Press reports a panel of 11 Ninth Circuit Court of Appeals judges will hear oral arguments today in a case questioning the constitutionality of California’s DNA collection law. The law requires police to collect samples from every person arrested, the report states, noting the Ninth Circuit required attorneys on both sides of the California case to revise their arguments after the U.S. Supreme Court ruled 5-4 to uphold Maryland's narrower DNA collection law. While “California Attorney General Kamala Harris and the Obama administration are both urging the court to uphold California's law as a constitutional and powerful law enforcement tool,” the ACLU argues it is not constitutional because not all those arrested are charged with crimes.
Full Story

BEHAVIORAL TARGETING—U.S.

Many Stores Tracking Shoppers This Holiday Season (December 9, 2013)

U.S. retailers are putting small tracking devices to work monitoring shoppers and their cellphones, to “tally how long people wait in line and where they shop,” The Wall Street Journal reports. The Future of Privacy Forum (FPF) has estimated “about 1,000 retailers, from tiny boutiques to Macy's Inc., have outfitted their aisles with sensors to monitor shoppers' paths,” the report states. While FPF has asked retailers to notify shoppers they are using such technology—and eight makers of tracking devices asked their clients to post such disclosures, the report notes, “the idea went nowhere with retailers.” Other retailers, meanwhile, have cited privacy concerns as their reason for holding off on using tracking technology, and some customers have complained about such practices as stores using WiFi signals to track customers through their cellphones. (Registration may be required to access this story.)
Full Story

BIOMETRICS—U.S.

NTIA Announces Facial Recognition Meeting Schedule (December 9, 2013)

Government Security News reports on the announcement in the Federal Register detailing the National Telecommunications and Information Administration (NTIA) series of eight meetings related to the “Consumer Data Privacy Code of Conduct” on facial recognition technology first reported last week. The meetings will be held in Washington, DC, and will be open to the public. The report includes the dates of the eight meetings, beginning with one on February 6 aimed at beginning a “factual, stakeholder-driven dialogue regarding the technical capabilities and commercial uses of facial recognition technology.” The NTIA plans to circulate a draft for public comment following the last meeting on June 24.
Full Story

PRIVACY COMMUNITY—U.S.

PCLOB Announces New Job Openings (December 6, 2013)
The Privacy and Civil Liberties Oversight Board (PCLOB) has announced it is looking to hire attorney advisors “who will assist the board in carrying out its oversight and advice functions regarding federal counterterrorism matters.” According to the official job description, many of the cases and problems that will be handled by the incumbent will “involve little or no established precedent, may present delicate legal or factual situations and may involve important Constitutional principles.” In comments provided to the Daily Dashboard, PCLOB Chairman David Medine wrote, “Thanks to the funding provided by Congress to the Privacy and Civil Liberties Oversight Board in October, PCLOB is now able to expand its staff by hiring several lawyers. These new lawyers will increase the board's ability to oversee existing federal counterterrorism programs and provide advice on the development of new programs, in order to ensure that the need for such efforts is balanced with the need to protect privacy and civil liberties.”

PRIVACY PROFESSION

What Makes a Good Privacy Pro? (December 6, 2013)

“For companies striving to maintain compliance with myriad global data protection and privacy rules, and keeping up with future developments, the privacy professional is key,” writes Reed Elsevier Senior Director of Privacy and Data Protection Emma Butler. “Increasingly,” she points out, “companies seem to think that they have to hire qualified lawyers to fulfil this role, but is that really the case?” This Privacy Perspectives post looks into this question and asks if a business wants “a lawyer who just advises on the interpretation of the law and leaves decision-making on privacy and subsequent implementation to the business? Or do you want a practitioner who can drive the privacy program from the ground up, making key decisions and delivering privacy effectively across the business?”
Full Story

DATA LOSS

Breach May Hit 465,000 Cardholders; 2M Passwords Stolen (December 6, 2013)

Financial services giant JP Morgan Chase is alerting at least 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by cybertheives, Reuters reports. The cards were used by corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits, the report states. The company has located and fixed the vulnerability and has alerted law enforcement. CNN reports, in a separate incident, keylogging software that has been installed on countless computers around the world may have captured the login credentials of about two million users of 93,000 websites, including popular sites such as Google, Facebook, Twitter and Yahoo.
Full Story

CONSUMER PRIVACY—U.S.

FTC Settles with Flashlight App Developer (December 6, 2013)

The Federal Trade Commission (FTC) has settled with an Android flashlight app developer over charges that the app deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. “Brightest Flashlight Free,” developed by Goldenshores Technologies, allegedly failed to disclose within its privacy policy that it transmitted users’ precise locations and unique device identifiers to third parties. The settlement, the FTC’s first based on location data, prevents the company from misrepresenting how it collects and uses consumer data and requires it to provide a just-in-time disclosure informing consumers of how their data is used and obtain express consent. Meanwhile, a study has found most mobile apps put privacy at risk. Mobile privacy is one of three focuses for the FTC in 2014.
Full Story

TARGETING ADVERTISING

Twitter Starts Ad Targeting; Automaker Tracks from Showroom (December 6, 2013)

Social network Twitter is set to begin rolling out cookie-based targeted advertising to show users ads based on their browsing history, Reuters reports. Twitter now joins other large online businesses including Google, Facebook and Amazon in using cookies to help with targeted ads. Meanwhile, AdAge reports on one automaker’s attempt to better understand the shopping behavior of customers, not only in its showroom but in its competitors’ as well. By using the services of PlaceIQ, Mazda can target ads based on highly specific consumer data—including location. A Mazda representative said that PlaceIQ helps “us define behaviors based on real-world location … The value of this to us is we’re actually getting real-world (indicators).”
Full Story

BIG DATA

Data-Mining Software Biz Expects To Raise $100M (December 6, 2013)

The New York Times reports on a data-mining software company that, on Thursday, was expected to file a notice that it has raised $100 million, putting a $9 billion valuation on the company. Palantir Technologies, which started as a CIA-funded data-mining company, just three months ago raised $196 million on a $6 billion valuation. Its initial customer base had been U.S. defense and intelligence contractors, but it now generates 60 percent of its revenue from commercial sources. The money raised is expected to be used in corporate expansion. Palantir currently employs 1,200 individuals in the U.S., Australia, Britain and Singapore. The Privacy Advisor recently reported on the growth of Big Data privacy jobs. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.S.

Potential Settlement Over Alleged Data-Mining Without Notice (December 6, 2013)

A filing this week indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion, Bloomberg reports. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations.
Full Story

HEALTHCARE PRIVACY—U.S.

OCR Not Fully Enforcing HIPAA; Revisions Called For (December 6, 2013)

A recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care.
Full Story

PRIVACY LAW—U.S.

Where the FTC is Headed in 2014 (December 5, 2013)
On Capitol Hill Tuesday, all four FTC commissioners testified before a House Energy and Commerce subcommittee—their first-ever joint appearance in Congress—to defend their regulatory role and ask for more authority in the rapidly developing digital economy. According to Politico, the commissioners faced tough questions from the Republican-dominated subcommittee on its current budget, resources and authority, but FTC Chairwoman Edith Ramirez said her agency is limited in its current authority and that baseline federal privacy legislation is needed. The scope of the FTC’s authority, the privacy issues with which it’s grappled and the day-to-day work of its staff on consumer privacy issues were also the focus during Wednesday’s IAPP Practical Privacy Series in Washington, DC. Jedidiah Bracy, CIPP/US, CIPP/E, provides an exclusive report for The Privacy Advisor on remarks by Rep. Marsha Blackburn (R-TN), who co-chairs the bipartisan privacy working group in the House Energy and Commerce Committee with Rep. Peter Welch (D-VT), and FTC Bureau of Consumer Protection Director Jessica Rich.

PRIVACY LAW—EU

Draft EU Data Protection Package: A History and Look to the Finish Line (December 5, 2013)

Reforming the outdated EU legislative framework governing data protection was always going to be a daunting task, but the Snowden revelations certainly haven’t made things easier. Nóra Ní Loideain examines in this exclusive for The Privacy Advisor the underpinnings of what has led to the EU Data Protection Reform’s current state and looks at whether the Greek or Italian presidencies will be able to push through a package that has so far eluded Denmark, Cyprus, Ireland and now Lithuania. Will it be done before the parliamentary elections in May? It’s now looking increasingly unlikely.
Full Story

TARGETED ADVERTISING

Acxiom Signs First Long-Term Ad Agency Deal (December 5, 2013)

One of the leading brands in the data brokering business, Acxiom, has signed what AdAge is reporting as a “multi-year deal with one of the biggest media agencies in the business: Starcom MediaVest Group.” The deal allows Starcom access to Acxiom’s Audience Operating System, which offers audience segmentation and targeting across online and offline media, thanks to first- and third-party data. "We believe leveraging Acxiom client data with third-party media data across any channel is going to … shape the market in years to come," said Laura Desmond, CEO at Starcom MediaVest Group, which is part of Publicis Groupe. The deal is significant, Acxiom says, because it has formerly only worked with individual brands and companies. "This Starcom partnership is a huge deal for us because Acxiom has never had in its 40-year history a relationship with an agency," said Acxiom CEO Scott Howe.
Full Story

FINANCIAL PRIVACY—U.S.

The Impact of New Payment Card Industry Standards on Business (December 5, 2013)

Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS) has been released by the PCI Security Standards Council. The security requirements are intended to strengthen the security of cardholder data and encourage the adoption of uniform data security standards within the payment card industry. PCI-DSS applies to all entities that are involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers as well as entities that store, process and transmit cardholder data. In this exclusive for The Privacy Advisor, Rebecca Shwayri takes a closer look.
Full Story

DATA PROTECTION

Microsoft Beefing Up Encryption Following Gov’t Spying Revelations (December 5, 2013)

A Microsoft blog announces the company is “taking steps to ensure governments use legal process rather than technological brute force to access customer data.” The company says allegations that some governments circumvent online security measures to collect private customer data put such governments alongside such threats as sophisticated malware and cyber attacks. As such, Microsoft plans to encrypt all services, reinforce legal protections for customers and expand the transparency of its software code. Microsoft General Counsel Bradford Smith said revelations the government might be hacking into corporate data centers “was a bit like an earthquake, sending shock waves across the tech sector.”
Full Story

SURVEILLANCE—U.S.

Gov’t Gathering Five Billion Cellphone Locations Per Day (December 5, 2013)

The Washington Post reports on the National Security Agency’s (NSA) gathering of nearly five billion records per day on cellphone locations around the world. According to documents provided by former NSA contractor Edward Snowden, the documents’ details are stored in a vast database, and new tools to analyze the data have resulted in mass surveillance as the agency is capable of tracing cellphones globally and retracing movements. Privacy advocates have concerns about the agency’s ability to establish relationships between phone users based on such data. Chris Soghoian of the ACLU said the only way to hide your location is to “live in a cave.” Meanwhile, a Brown University panel recently discussed NSA spying and how sophisticated government agencies have become in analyzing such data. (Registration may be required to access this story.)
Full Story

DATA SECURITY—UK

Just Nine Percent of Customers Have Faith Brands Will Secure Their Data (December 5, 2013)

Japanese IT firm Fujitsu has released findings of a survey of 3,000 UK consumers that found just nine percent “have any faith in organizations to protect their data.” Further, 20 percent said they would inform police of a data loss, considering it a criminal offense, and 63 percent said they do not want companies to use their data to improve their experience with the company. “The results of our research showed consumer tolerance for data loss is at an all-time low,” said Fujitsu CSO UK & Ireland David Robinson. Research was conducted by OnePoll, an independent research consultancy based in London. The consumers in the UK completed an online survey in October.
Full Story

PRIVACY

Report: Developing Countries Need Privacy Laws To Bridge the Gap (December 5, 2013)

UN trade and development body Unctad has released a report stating developing countries need to “adopt and enforce privacy and data protection laws” in order to bridge the “digital divide” that has arisen as a result of cloud computing. The Guardian reports that as of 2013, 101 countries had data privacy laws or bills, but only 40 developing economies could say the same. While the cloud provides many benefits, such economies must also be aware of the risks. Privacy International’s Carly Nyst said in developing countries, the absence of privacy laws and “weak accountability mechanisms” means cloud data is vulnerable, and no government or company should promote cloud services before ensuring privacy.
Full Story

DATA PROTECTION—HONG KONG

Commissioner Rules Fitness Center Collected Excessive Data (December 5, 2013)

California Fitness has been fined by Privacy Commissioner for Personal Data Allan Chiang for breaching privacy law, the South China Morning Post reports. Following an investigation, Chiang’s office found the fitness chain put 220,000 customers’ personal details at risk by asking them to provide too much personal information and by storing copies of their identity cards. A data leak could have led to identity theft, Chiang said. “It is irresponsible for organizations to collect (detailed personal) data for identification and authentication purposes without seriously assessing the risk … of using alternative and less privacy-intrusive means.” (Registration may be required to access this story.)
Full Story

PRIVACY COMMUNITY—U.S.

White House’s Wong: Privacy Czar May Not Be the Answer (December 4, 2013)
In her first public speech since being appointed White House deputy chief technology officer, Nicole Wong kicked off yesterday’s IAPP Practical Privacy Series event in Washington, DC, by praising the work of public-sector privacy professionals. “I’ve generally stayed away from public addresses,” she said, “but this invitation to speak to you, this is important to me. You are my peeps.” In her address, Wong backed continued transparency and suggested the concept of a top-down federal privacy czar might not be the best solution. This exclusive for The Privacy Advisor reports on Wong’s address and what it could mean for the privacy community.

PRIVACY LAW—U.S.

State AGs: The Most Important Regulators in the U.S.? (December 4, 2013)

The last year was an eventful one in the area of data and online privacy, with more laws, more enforcement actions and generally increased attorney general scrutiny. Given that we are not likely to see federal preemption of state authority in this area anytime soon—and that the Federal Trade Commission (FTC) is encouraging state action on data privacy—it remains critical that privacy professionals expand their focus beyond the FTC and data protection authorities to consider AGs, who are rapidly becoming the most important data privacy regulators around, write Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US. In this exclusive for The Privacy Advisor, Smoyer and Lancaster look back at 2013 to make predictions for the year ahead.
Full Story

PRIVACY BIZ—U.S.

Big Data Jobs Board Sees Privacy Jobs Growing Fastest (December 4, 2013)

While Big Data jobs are growing at a 26 percent clip, privacy jobs as a subset of those Big Data roles are growing even faster. Such are the findings at iCrunchData.com, a Big Data-focused jobs board that this year has begun tracking Big Data positions throughout the entire United States through its Big Data Jobs Index. Founded 11 years ago, the site is not unlike Monster and other jobs boards where companies pay to post positions and potential employees can search and post resumes. Now the company is tracking subsets of the Big Data job community and spoke this week with The Privacy Advisor about trends the board is seeing in privacy jobs and privacy job postings.
Full Story

PRIVACY LAW—U.S.

Google Wins Dismissal in Privacy Policy Case (December 4, 2013)

Google has won its dismissal of a lawsuit challenging its privacy policy, which allows it to combine user data across its different products, Bloomberg reports. U.S. Magistrate Judge Paul Grewal ruled the plaintiffs failed to prove they had suffered losses as a result of Google’s actions, but he also ordered the plaintiffs can refile their claims. “A plaintiff must do more than point to the dollars in a defendant’s pocket,” Grewal wrote in his ruling. In order for the suit to move forward, the plaintiffs have to demonstrate how Google’s use of their data “deprived the plaintiff of the information’s economic value.”
Full Story

INFORMATION SECURITY

Researchers Create Malware Able To Jump Non-Connected Devices (December 4, 2013)

Ars Technica reports on newly developed malware capable of communicating between devices not connected to any active networks. The malware now threatens the “air gap” often used to protect data, the report states. Researchers were able to use the built-in microphones and speakers within PCs to establish communication via inaudible audio signals within a distance of 65 feet. The proof-of-concept software has been outlined in the Journal of Communications. In the report, the researchers said, “The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered.”
Full Story

STUDENT PRIVACY—U.S.

ALEC Publishes Model Bill for State Education CPOs (December 4, 2013)

The American Legislative Exchange Council (ALEC) is promoting a model bill that would require state school boards to appoint a chief privacy officer and publish an inventory of student data collected by the state, among other requirements, reports Education Week. The bill was modeled after a recently passed Oklahoma law, and while other advocacy groups are praising ALEC’s efforts, they have expressed concerns about the lack of limits placed on noneducational use of the data. “Focusing on transparency and accountability is always a good start, but I’m not sure that (the ALEC model bill) is comprehensive in covering the education-technology landscape,” said Joni Lupovitz of Common Sense Media. Editor’s Note: The IAPP’s Privacy Tracker blog featured a post highlighting a similar model bill earlier this fall.
Full Story

PRIVACY LAW—EU

Member States Need More Time with Regulation Proposal (December 4, 2013)

Bloomberg reports the EU’s data protection overhaul faces months of delays after some member states have demanded more time to sign off on a law that would fine companies as much as 100 million euros for privacy violations. An anonymous EU official said the measures are unlikely to pass before European Parliament elections in May, noting the measure is “too complicated and sensitive” for member states to reach a deal this week. “If there’s not the necessary political will, the whole regulation is at risk,” said MEP Jan Philipp Albrecht.
Full Story

HEALTHCARE PRIVACY—U.S.

State Insurance Commissioner Recommends Privacy Training (December 4, 2013)

The Texas Department of Insurance is proposing rules for federal health insurance exchange navigators, including criminal background checks, proof of identity and privacy training, Insurance Journal reports. Commissioner of Insurance Julia Rathgeber said the rules “address insufficiencies in federal regulations and make the training and qualifications of navigators in our state more readily apparent to consumers and service providers.” Under state law, the commissioner of insurance is required to set standards on navigators if federal standards are deemed insufficient. Meanwhile, Computerworld reports that the Healthcare.gov site, reportedly improved and secured after risks were identified, has not been fixed, according to a security expert.
Full Story

BIOMETRICS—U.S.

Apple Granted Facial Recognition Technology Patent (December 4, 2013)

Apple devices, in the future, may employ facial recognition technology to allow users to control some features, Los Angeles Times reports. The company was granted a patent Tuesday for “personal computing device control using face detection and recognition,” referring to an Apple device that would be able to recognize if the person standing in front of it was “authorized.” Daily Dashboard reported yesterday that the National Telecommunications and Information Administration will host a multi-stakeholder process on facial recognition technology early next year.
Full Story

PRIVACY LAW—EU & U.S.

Legal Reform Needed in U.S., Not Just Europe (December 3, 2013)
“I recall that in the early 1990s and early 2000s, it was often a struggle to get people outside of Europe to take EU data protection law seriously,” writes Wilson Sonsini Partner Christopher Kuner, adding, “The perceived lack of enforcement in the EU, and the dynamic legislative climate in the U.S., meant that more attention was given to U.S. developments.” But now, with the advent of the European Commission’s proposed General Data Protection Regulation, the situation is reversed and “U.S.-based lobbyists have descended in hordes on the EU institutions,” making Brussels “the center of the global privacy world.” In this Privacy Perspectives post, Kuner asks, “Why doesn’t the U.S. work as hard to improve its own privacy law as it does to lobby for changes in the EU?” He makes the case for why, when lobbying for privacy reforms, the U.S. should look in the mirror.

DATA LOSS

Roundup: Breaches Abound; Outcomes Announced (December 3, 2013)

Across the globe, reports of data breaches—and the outcomes of past data loss incidents—continue to make headlines. This roundup for The Privacy Advisor examines some of the most recent breach headlines, including a breach at Arizona’s Maricopa County Community College District in the U.S. that has cost the district millions and required it to notify “nearly 2.5 million students, former students, employees and vendors that hackers may have compromised their personal information,” as well as incidents involving Vodafone Iceland, the Australian Broadcasting Corporation and a UK council. The report also highlights recent legal and data protection authority actions from across the globe.
Full Story

CONSUMER PRIVACY—U.S.

FTC Unveils Privacy Focus for 2014 (December 3, 2013)

The U.S. Federal Trade Commission (FTC) has announced it will host a set of three seminars to explore consumer privacy issues and “examine the privacy implications of three new areas of technology that have garnered considerable attention.” The FTC will explore mobile device tracking, alternative scoring products and consumer-generated and -controlled health data. The first seminar, focusing on mobile device tracking, will be held in February. Meanwhile, a Government Health IT report asks, “Can the FTC regulate digital health privacy?” and looks into both sides of the data security debate between the FTC and Atlanta-based health diagnostics firm LabMD.
Full Story

CYBERSECURITY—U.S.

NIST To Host Privacy Panel December 19-20 (December 3, 2013)

The National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board is set to host a two-day, open meeting in Washington, DC, according to the Federal Register. Two main topics to be discussed are President Barack Obama’s Executive Order 13636 on critical infrastructure cybersecurity and potential incentives that should be adopted for improved cybersecurity practices. The report also features an agenda for the meetings, which includes updates on legislative proposals pertaining to information security and privacy, a discussion on cryptography and an update on the Privacy and Civil Liberties Oversight Board.
Full Story

BIOMETRICS—U.S.

Next NTIA Project To Focus on Facial Recognition (December 3, 2013)

The National Telecommunications and Information Administration (NTIA) announced today it is launching a new multi-stakeholder process that will focus on the commercial use of facial recognition technology. While the technology has potential for innovative use that could improve services for consumers, writes Department of Commerce Assistant Secretary for Communications Lawrence Strickling, “the technology poses distinct privacy challenges. Digital images are increasingly available, and the importance of securing faceprints and ensuring consumers’ appropriate control over their data is clear.” The NTIA, which most recently used the multi-stakeholder process to release a code of conduct to improve privacy notices on mobile devices, will convene the first meeting to explore privacy safeguards for facial recognition technology on February 6 at 1 p.m. The public and all stakeholders are invited, and the meeting will be webcast.
Full Story

ONLINE PRIVACY

Social Media Guru Deletes Facebook Account, Citing Need To “Take a Stand” (December 3, 2013)

Danny Brown, co-author of Influence Marketing: How To Create, Manage and Measure Brand Influencers in Social Media Marketing and author of HubSpot’s “#1 marketing blog in the world,” announced yesterday he has deleted his personal Facebook account because “at some point, we need to take a stand for our privacy.” Admitting he understands the irony of a marketer who uses social media data as a key part of strategic planning complaining about Facebook privacy, Brown says he simply can’t trust the product any longer and, as a marketer, no longer even trusts that the user data is being created by the users themselves. He understands the concept of “being the product” but now feels “it’s essentially a target on your data forehead, and hunting season is always open.”
Full Story

ONLINE PRIVACY

New Study Uses Bots To Track the Trackers (December 3, 2013)

Forbes reports on a new study led by researchers at Princeton University and Belgium’s KU Leuven to discover patterns of discrimination based on traits such as affluence levels. Advertising and marketing firms often keep their tracking methods obscure, making it difficult for privacy advocates to demonstrate how the commercialization of online data can isolate consumers into their own “filter bubbles.” To circumvent that, the researchers have released bots that mimic real consumers—including fake profile traits such as age, gender, affluence level, location and interests—to come to a better understanding of how online businesses track, categorize and possibly discriminate against individuals. The research is being led by Princeton Prof. Arvind Narayanan—one of the early progenitors of Do Not Track. A spokesman for the U.S. Federal Trade Commission said, “We welcome research into privacy and technology issues, and we look forward to reviewing the research results.”
Full Story

PRIVACY—U.S.

Opinion: Privacy Concerns Are Limiting the Benefits of Technology (December 3, 2013)

Reihan Salam explores in this Reuters op-ed the impact that privacy concerns have on the societal benefits of technological innovation. Highlighting the friction between Stewart Baker’s stance on NSA intelligence-gathering and civil liberties advocates’ concerns with the violation of privacy, Salam writes, “I couldn’t tell you which side is closer to the mark” adding, “What is increasingly clear to me, however, is that privacy concerns are limiting our ability to flourish as a society for reasons having nothing to do with NSA surveillance.” Salam goes on to discuss the recent Food and Drug Administration actions against 23andme as well as the reluctance of higher education institutions to build a “student unit records” database as evidence for his theory. Editor’s Note: Stewart Baker will take part in a discussion about government access to information at the upcoming IAPP Data Protection Congress in Brussels this month.
Full Story

PRIVACY LAW

Safe Harbor Revelations and Global Developments (December 2, 2013)
This week’s Privacy Tracker legislative roundup includes the IAPP’s coverage of the European Commission’s report critiquing the EU-U.S. Safe Harbor agreement and offering the U.S. 13 ways to save it, and insight from Eduardo Ustaran, CIPP/E, on the report. You’ll also find information on the United Nation’s approval of an unlawful surveillance resolution, why India may have to wait a little longer for a privacy law and South Africa’s new law. In the U.S., more regions are considering social media laws and DNA databases, and courts have decided cases relating to COPPA and consumer privacy.

PRIVACY—U.S.

ICYMI: Top News of the Past Week (December 2, 2013)

While many in the U.S. may have had abbreviated work schedules last week to observe the Thanksgiving holiday, the privacy world was anything but quiet, with everything from Safe Harbor developments to the announcement of an interim privacy commissioner in Canada making headlines. The biggest news leading up to Thanksgiving was the European Commission’s release of its report on EU-U.S. data flows, including 13 recommendations to the U.S. to improve Safe Harbor by the summer. This exclusive for The Privacy Advisor includes commentary on the report from FTC Commissioner Julie Brill, Dutch MEP Sophie in ‘t Veld and Covington & Burling’s Henriette Tielemans. In other news, the Center for Democracy & Technology’s Justin Brookman weighed in on recent reports about a smart TV collecting and sharing user data; the UN passed a resolution on unlawful surveillance originally proposed by Brazil and Germany, and U.S. District Court Judge Lucy Koh dismissed a lawsuit accusing Apple of not complying with the privacy promises it makes to iPhone and iPad users.
Full Story

SURVEILLANCE—U.S.

Amazon Plans To Deliver Packages by UAVs (December 2, 2013)

On 60 Minutes, Amazon CEO Jeff Bezos unveiled plans to use unmanned aerial vehicles (UAVs) to deliver packages to customers. University of Washington Law Prof. Ryan Calo said this is the type of commercial application Congress envisioned when it ordered the Federal Aviation Administration (FAA) to open up airspace to the technology, The Washington Post reports. “By 2015, the FAA has to come up with a set of rules that integrates just the kind of thing that Amazon is talking about,” said Calo, adding that the agency may initially require humans to guide the UAVs remotely.
Full Story

PRIVACY LAW—THE NETHERLANDS

Dutch DPA Says Google Policy Violates Law (December 2, 2013)

Dutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent,” Bloomberg reports. Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.”
Full Story

PRIVACY COMMUNITY—CANADA

Stoddart Departing Commissioner’s Post (December 2, 2013)

Postmedia News reports on Privacy Commissioner Jennifer Stoddart’s departure from office and the work she did while there, including taking on big companies like Google and Facebook in defense of Canada’s privacy laws. She’s also been an “outspoken critic” of how the federal government handles and protects Canadians’ personal information and has called for an update to the Privacy Act and the Personal Information Protection and Electronic Documents Act. Stoddart recently gave an exit interview in which she discussed the problems Canada faces, including protecting privacy rights in the face of new technologies such as drones and facial recognition. Assistant Privacy Commissioner Chantal Bernier will step up as interim privacy commissioner until Stoddart is replaced.
Full Story

SURVEILLANCE—U.S.

Will A Not-So-Friendly R2-D2 Be Your Next Security Guard? (December 2, 2013)

“The night watchman of the future is five feet tall, weighs 300 pounds and looks a lot like R2-D2—without the whimsy,” The New York Times reports in a feature about a California company’s mobile robot. Knightscope’s K5 Autonomous Data Machine, to be unveiled Thursday, has been developed “as a safety and security tool for corporations, as well as for schools and neighborhoods,” the report states. Some see such a move as “an entry point to a post-Orwellian, post-privacy world,” the report states, quoting the Electronic Privacy and Information Center Marc Rotenberg as saying, “This is like R2-D2’s evil twin.” (Registration may be required to access this story.)
Full Story

BIOMETRICS

Advancements in Facial Recognition Raise Privacy Questions (December 2, 2013)

Facial recognition technology is rapidly evolving, “using frame-by-frame video analysis to read subtle muscular changes that flash across our faces in milliseconds, signaling emotions like happiness, sadness and disgust,” The New York Times reports. While there may be benefits to such face-reading software—such as recognizing confusion on the face of an online student and offering tutoring options—one U.S. privacy attorney notes such technology raises concerns. “The unguarded expressions that flit across our faces aren’t always the ones we want other people to readily identify,” Ginger McCall said, adding, “Private companies are developing this technology now. But you can be sure government agencies, especially in security, are taking an interest, too.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SOUTH AFRICA

Zuma Signs Privacy Bill Into Law (December 2, 2013)

President Jacob Zuma’s administration announced on Wednesday that he has signed the Protection of Personal Information Bill into law, reports Global Post. "The act will give effect to the right to privacy, by introducing measures to ensure that the personal information of an individual is safeguarded when it is processed by responsible parties," said presidential spokesman Mac Maharaj. The bill contains eight principles that express the right to privacy provided in the constitution and establishes the Office of the Information Regulator, which will take over responsibility for the Promotion of Access to Information Act.
Full Story

ONLINE PRIVACY—U.S.

Software Aims To Protect Social Media Content (December 2, 2013)

MediaPost reports that managing social media privacy settings might become easier due to software that can suggest privacy settings for content you share with different groups. The software uses data-mining techniques to analyze the structure of users’ social network and then predicts what kind of privacy they would choose, the report states. It was developed by researchers at Penn State and the Missouri University of Science and Technology, and its developers say the software is 77-percent accurate in guessing what kind of privacy people would assign each piece of content.
Full Story