We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.
At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.
But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.
In the meantime, though, Happy Easter!
Rita Di Antonio
“If the revision process currently undertaken by the European Commission does not lead to a positive outcome, then the Safe Harbor agreement should be suspended.” That was the message in a letter to Vice President and Commissioner for Justice Viviane Reding from Article 29 Working Party (WP) Chair Isabelle Falque-Pierrotin. The improvements made to modify Safe Harbor must be “valuable to the European Commission,” the letter states. Meanwhile, the WP has also issued an opinion on “making data processing legitimate.” The opinion states, “Beyond guidance on the practical interpretation and application of Article 7(f) under the current legal framework, it aims at formulating policy recommendations to assist policy makers as they consider changes to the current data protection legal framework.” A second WP opinion “analyses the effectiveness and limits of existing anonymisation techniques against the EU legal background of data protection and provides recommendations to handle these techniques by taking account of the residual risk of identification inherent in each of them.”
Since the Court of Justice of the EU (CJEU) rejection of the Data Retention Directive, several member states have taken action. Norway has changed plans to incorporate the directive into law, with officials confirming the government “will prepare a new proposal for data storage.” Swedish authorities, meanwhile, “won’t take action against an ISP that erased all retained communications metadata, even though there is still a law in place compelling providers to retain such data,” PC World reports. And in The Netherlands, the GroenLinks Party “plans to introduce legislation within two weeks ending the requirement for telecom and Internet companies to store data on customer communications.” This week, the IAPP’s Privacy Tracker legislative roundup includes, with other news from round the globe, the CJEU’s recent decision invalidating the directive. (IAPP member log in required.)
The European Commission has launched a consultation on mobile health (mHealth) and patient care, European Voice reports, in an effort “to improve the use of mobile devices such as smartphones and tablets.” European Commissioner Neelie Kroes noted, “mHealth will reduce costly visits to hospitals, help citizens take charge of their own health and wellbeing and move toward prevention rather than cure.” However, the report states, “there are rising concerns among patients about data protection and safety issues. The European Commission is now requesting information on how to deal with these issues and on what level—European or national.” The mHealth consultation will continue until 2 July.
Spain’s Data Protection Agency (AEPD) has published a draft privacy impact assessment (PIA) guide and “initiated a public consultation, open until 25 April, to garner opinion and comments on the guide,” Mondaq reports. The PIA guide provides “a framework to improve privacy and data protection in relation to an organisation's technological developments, with the aim of helping them identify, address and minimise data protection risks prior to the implementation of a new product or service,” the report states. In the guide, the AEPD discusses the importance of developing PIAs to show organisations are performing due diligence and developing “appropriate methods and procedures for addressing privacy risks,” the report states.
Hackers recently accessed the details of 500,000 individuals considering cosmetic surgery, The Guardian reports. The UK’s Harley Medical Group said it believes the hack was an attempt to extort money from the company, and the information includes potential clients’ names, addresses and telephone numbers. Also in the UK, the Information Commissioner's Office has said a "series of errors" by Wokingham Borough Council led to the delivery of a record "with no consideration given to its content." Meanwhile, French computer hardware manufacturer LaCie is notifying customers their personal information may have been compromised after hackers used malware to infiltrate transaction data from its website. Customers who bought products between March 2013 and March 2014 may have been affected. Meanwhile, in Ireland, the Data Protection Commission is investigating a breach at Cork Institute of Technology where applicants were “given portfolio assessment marks of other applicants instead of receiving just their own result.”
Malta has a new commissioner for information and data protection with the appointment of Saviour Cachia, who took the oath of office on Wednesday, Malta Independent reports. Education Minister Evarist Bartolo has asked Cachia “to review the legal notice which empowers him to collect data on students, from ability reports to their identification card number,” the report states, noting Bartolo has said he is seeking to “work hand in hand” with Cachia “in order to be guided to ensure protection of the data subjects.” The report states the Partit Nazzjonalista has written to Cachia contending Legal Notice 76 “is a threat to the dignity and privacy of students and their families.”
The Guardian reports on how communities used “fixed and mobile CCTV cameras to impose parking and traffic fines” totaling GBP 300 million in the past five years and raising concerns from privacy advocates. “Big Brother Watch said figures obtained under the Freedom of Information Act showed that the number of CCTV cars in operation had soared by 87 percent since 2009, despite a new code of practice saying CCTV should be used only sparingly for traffic offences,” the report states, noting 90 percent of the revenue raised came from boroughs of London.
Bulgaria’s Commission for Personal Data Protection will meet with the Central Electoral Commission (CEC), Focus Information Agency reports. ”The Commission for Personal Data Protection is to launch a probe into the filed complaints and the work done at the CEC,” said Commission for Personal Data Protection Chair Ventsislav Karadzhov, adding, “We will provide instructions of technical nature to the CEC and consider the respective complaints.” The commission will also “impose the respective punitive measures if violations of laws are ascertained,” Karadzhov said.
“With cloud computing, many fear losing control. True, supply chains may be complex … However, users can retain control in cloud computing—depending,” writes cloud computing expert Kuan Hon in this Privacy Tracker post. Using examples of the evolution of the EU Data Protection Directive and cases from the EU Court of Justice and the Danish Data Protection Agency, Hon outlines reasons the data export restriction and the “transfer to a third country” provisions are antiquated in today’s technological environment. “Nowadays, physically confining data to the EEA does not equate to or guarantee data protection. Yet vast amounts of time and resources are poured into compliance with the restriction, which could be better spent on improving information security,” Hon writes. (IAPP member login required.) Editor's Note: The IAPP and TRUSTe will present a free web conference, The Role of Privacy Seals and Certifications in Building Trust and Global Interoperability, on May 8.
INTERNET OF THINGS
Wired reports on one of the latest projects from Google X lab, a smart contact lens with a built-in camera. An earlier iteration of the lens could be used to monitor blood glucose levels via tear fluid. This latest project would include a sensor, circuit and camera. The sensor could be used to detect light, pressure and temperature to give people a sort of “sixth sense.” According to the report, the technology “isn’t all that far off,” as clunkier versions have been tested, adding, “If these contact lenses ever do come to market, it means you can leapfrog the Glasshole stage and go straight to Lenshole.”
As the inaugural IAPP Westin Research Fellows Kelsey Finch and Dennis Holmes prepare for life after Portsmouth, NH, the IAPP is proud to announce our second batch of newly graduated students looking to continue their studies in privacy. Patricia Bailin, coming from Tufts’ Fletcher School of Law & Diplomacy, and Arielle Brown of the University of Colorado School of Law will join the IAPP Westin Research Center this fall after wrapping up their current studies. IAPP Publications Director Sam Pfeifle makes introductions.
BIOMETRICS—FRANCE & U.S.
The Christian Science Monitor reports on the differing privacy norms in France and the U.S. through the prism of a case where a high school student was raped and more than 500 male students and staff willingly submitted to DNA testing to help find the rapist. One expert said that although the French value their privacy, the case has not sparked a mass outcry because of its criminal context. In the U.S., the case likely would have raised civil rights and Fourth Amendment violation concerns, the report states. Pascale Gelly, CIPP/E, said, “France takes data privacy very seriously,” adding, “Massive testing will always raise privacy issues, and that’s good because it’s always important to (ask) the question, ‘Is it proportionate or not?’”
DATA LOSS—CANADA & UK
Two websites, Canada’s tax authority and a British parenting website, have said some of their users’ data has been compromised as a result of the Heartbleed bug, and, according to PC World, these are the first two admissions stemming from the now infamous OpenSSL security vulnerability that was exposed last week. The Canada Revenue Agency (CRA) blocked online public access to its site last week. “Regrettably, the CRA has been notified … of a malicious breach of taxpayer data that occurred over a six-hour period,” the CRA said. British parenting site Mumsnet assured its more than one million users it “followed all the published steps to protect members’ security … but it seems that the breach occurred prior to that risk becoming known.”
Amidst controversies with privacy groups over its scanning of user e-mail, PC World reports, “Google has updated its terms of service to reflect that it analyzes user content including e-mails to provide users tailored advertising, customized search results and other features.” The report highlights actions around Google’s practices and quotes the new terms of service, which went into effect Monday, as stating, “Our automated systems analyze your content (including e-mails) to provide you personally relevant product features, such as customized search results, tailored advertising and spam and malware detection. This analysis occurs as the content is sent, received and when it is stored.”
Scientists from Pennsylvania State University say they’ve developed a way to find Twitter posts that identify viral illnesses, InformationWeek reports. In a recently published paper, “On the Ground Validation of Online Diagnosis with Twitter and Medical Records,” researchers say they’ve created “a system for making an accurate influenza diagnosis based on an individual’s publicly available Twitter data.” The researchers say they were able to determine, with 99-percent accuracy, whether an influenza outbreak was occurring by combining text analysis, anomaly detection and social network analysis. In 2008, similarly, Google began estimating flu infections by tracking flu-related search terms.
In the latest installment of her 10-part series on creating a quality privacy program, Deidre Rodriguez, CIPP/US, discusses the importance of learning from others’ mistakes in order to keep your brand out of trouble. “The least painful and easiest lessons are the ones that we can learn from others’ mistakes,” Rodriguez writes in this exclusive for The Privacy Advisor. “As privacy professionals, it’s important that we take time to peruse the headlines and read articles that talk about others’ mistakes.” She outlines four action items privacy pros should take while scanning headlines. Editor’s Note: Did you miss the first seven installments of this series? See them here.
Last week, Facebook announced it was unveiling a new set of user privacy controls. The move comes a month after the IAPP Global Privacy Summit, where Facebook CPO Erin Egan said, “If people are surprised, that’s not good for me.” What did she mean, exactly? This post for Privacy Perspectives looks at the promise of surprise minimization and how, “in a Big Data and Internet of Things world where providing users with notice and choice can prove difficult,” it “is becoming a powerful tool businesses can use to help engender trust with consumers while avoiding the ire of regulators.”
CLOUD COMPUTING—EU & U.S.
With big-name providers reducing prices to beat the competition for cloud services, ZD Net reports on Finland-based UpCloud, which believes customers’ desire for privacy means the “opportunity to break into the sector has never been greater.” Some customers, UpCloud’s Antti Vilpponen says, “want to stay away from U.S. companies,” increasing the demand for non-U.S. providers. “Naturally we comply with the laws of the countries where we operate, but as customers' personal information is always stored in Finland, that stays under Finnish law," Vilpponen said. Other European companies are also looking to “tackle the U.S. privacy issue,” the report states, suggesting “North America … is seen as potentially easy pickings for European startups that focus on privacy.”
A new online tool has been launched to help users identify large merchants and hotels that have exposed credit card data and other personal information to hackers, Inside Counsel reports. PrivacyAtlas.com allows users to search through 39,000 hotel and motel locations as well as 28,000 chain stores. Security Validation President and CEO David Durko said, “Consumers want to know how safe their credit card data is when it’s shared with hotels, retail stores or online.” The tool assesses whether a given retailer is PCI-DSS compliant. For businesses, participation with PrivacyAtlas is voluntary, but those that choose not to disclose their compliance status with the site receive a “black mark.”
PRIVACY LAW—EU & HUNGARY
The Court of Justice of the European Union (CJEU) has determined “Hungary violated European Union law by firing the head of its data protection agency (DPA) in 2012,” The Wall Street Journal reports. In its judgment Tuesday, the CJEU found national DPAs “must not be bound by instructions of any kind” and their decision-making processes “must be free from political influence,” noting if a government can fire staff before their terms’ end, “that authority might be prompted to enter into a form of prior compliance with political powers.” The CJEU has ordered Hungary to comply “without delay” but has not specified “what form compliance should take,” the report states. (Registration may be required to access this story.)