European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

ONLINE PRIVACY

Dennedy Offers Tips for Consumers (March 29, 2013)

Noting the uptick in victims of cyber attacks and the huge increase in the number of malicious smartphone applications identified last year, McAfee Chief Privacy Officer Michelle Dennedy, CIPP/US, writes for The Huffington Post about online threats to consumers. “Most consumers assume that the websites they frequent have top-notch cybersecurity and privacy controls. Rather than assume, users should do some simple investigating on the security of these sites,” Dennedy writes, offering the following tips to consumers: Change passwords often, read privacy settings and licensing agreements, avoid public or open WiFi and practice safe surfing.
Full Story

GENETIC PRIVACY—EU & IRELAND

DNA Data Withdrawn; Blood Samples Retained (March 28, 2013)

A research team at the European Molecular Biology Laboratory (EMBL) published work on a cell line widely used in cancer studies known as HeLa, revealing a large portion of its genetic sequence, reports Science Insider. The work was quickly withdrawn when it was discovered that neither the original source nor her descendants had ever given permission for the use or publication of their genetic code. An EMBL spokesperson stated, “We hope that the outcome of this process will be that the genomic sequence of the HeLa cell line will be publicly available for scientific research; however, our first priority are the privacy concerns of the family.” Meanwhile, Ireland Minister for Health James Reilly has ordered the Health Service Executive not to discard more than 1 million blood samples taken from children, The Irish Times reports.
Full Story

DATA RETENTION—UK

UK Home Office Seeks Feedback on Data Retention (March 28, 2013)

UK Home Office Secretary of State Theresa May has initiated a public consultation on the necessary retention of biometric data for the purpose of national security, reports Biometric Update. While fingerprints and other DNA evidence are vital to police investigations, protecting innocent individuals who have their DNA taken and held by police is also of concern. The Protection of Freedoms Act of 2012 strives to provide a “new framework” for law enforcement, as well as provide “the necessary balance between public protection and individual freedoms,” May stated.
Full Story

CLOUD COMPUTING—UK

Study: BYOD Risks Increase With Cloud Use (March 28, 2013)

As risks of data leaks increase with the proliferation of BYOD, a University of Glasgow study indicates companies are more vulnerable with employee use of certain cloud storage services. Researchers found data could be recovered from devices in memory or memory cards or via malware with “root access” to the device. "From a forensics perspective, there is little you can do on a device today without leaving some kind of remnants," said Paul Henry, a forensic analyst for Lumension. One of the study’s researchers also noted that the separation of personal and corporate data on a device is critical, adding, “The cloud applications must be part of the bigger picture of how you segregate the device.”
Full Story

DATA PROTECTION—GERMANY & U.S.

Corporate Privacy Practices Surprisingly Similar (March 28, 2013)

In the second of a series of blog posts for the IAPP’s Privacy Perspectives, Profs. Deirdre Mulligan and Kenneth Bamberger write of their research, “The two countries in which privacy officers were most empowered, and most involved in shaping firm strategy, couldn’t be more different in terms of their regulatory substance and form—Germany and the U.S.” They note that the results are “especially startling, because in global debates the German legal commitment to privacy protection is frequently held up as representing one end of the spectrum (strongest), while the U.S. approach is placed at the other.” In the post, Mulligan and Bamberger delve into why “a few elements of the German scene stand out in explaining some of the similarities.”
Full Story

CYBERSECURITY—UK

Gov’t To Partner With Industry on Cyber Threat Info (March 28, 2013)

ComputerWeekly reports that the UK government has unveiled plans to work with industry to share cyber-threat information. The Cyber Security Information Sharing Partnership (CISP) features a virtual “collaboration environment” portal where government and business can securely share intelligence on cyber threats and vulnerabilities. The initiative also has the support of the Obama administration. Former White House Cyber Security Advisor Howard Schmidt said, “U.S. experience has shown the importance of leadership in business in fighting cyber threats, and that is why the UK CISP is important and will succeed.” Editor’s Note: The breakout session Cyber Attacks: Legal Implications for Financial Institutions will be part of the IAPP Data Protection Intensive in London, UK, April 23-25.
Full Story

PRIVACY LAW—EU

Opinion: EC Proposal Will “Stifle Innovation” (March 28, 2013)

Wired reports that James Leaton Gray, head of information policy and compliance at the BBC, recently warned attendees of an e-privacy seminar that the European Commission, in writing its data protection proposal, is playing catch-up with technology instead of creating a scalable system that looks toward the future. Gray said the regime will “stifle innovation. I know it's not intending to—but it's thinking about the present world, not the future world. We have to get used to the idea that the TV set is going to be the computer of the future—people will sit in front of it, interacting, it will be gesture-based.” He acknowledged specific challenges like getting consent from the “thousands of channels you use.” Editor’s Note: This year’s IAPP Data Protection Intensive features several panels exploring the latest developments on the proposed General Data Protection Reform.
Full Story

DATA PROTECTION—UK

ICO May Get Audit Powers; 80 Percent of ICO Fines Self-Reported (March 27, 2013)
Out-Law.com reports that the UK Ministry of Justice has opened a consultation on making public health organizations subject to compulsory data protection audits by the Information Commissioner’s Office (ICO). Currently, the ICO has powers to audit central government departments but must obtain consent from other public bodies prior to an audit. And a new Field Fisher Waterhouse (FFW) report has found that 84 percent of the fines issued by the ICO in 2012 were handed down to organizations that self-reported a breach. FFW Partner Stewart Room, CIPP/E, said, “The likelihood is that many controllers will be deterred from coming forward due to fears of fines and the absence of positive incentives.” Room added, “organizations who come forward should be treated similarly to those who undergo an audit.” Editor’s Note: Room will speak in more detail about these findings next month at the IAPP’s Data Protection Intensive in London. Download the full report here.

DATA PROTECTION—ASIA PACIFIC & EU

EU and APEC Working Towards Data Transfer System (March 27, 2013)

Hunton & Williams’ Privacy and Information Security Law Blog reports on the Article 29 Working Party’s (WP29) press release outlining efforts made to promote cooperation between EU and Asia-Pacific Economic Cooperation group (APEC) data transfer systems. A joint EU-APEC committee has been comparing the EU’s binding corporate rules framework and APEC Cross-Border Privacy Rules with a goal of creating “practical tools, including a common referential, for those multinational companies that have data collection and/or processing-related activities in both the European Union and APEC region,” the press release states. The WP29 and APEC are expected to adopt a roadmap in the coming months in order to continue their work in this area.
Full Story

PRIVACY LAW—EU

Debates Around Proposed Regs Heat Up (March 27, 2013)

Stakeholders across the spectrum are voicing their opinions of the European Commission’s proposed data protection regulation. The Irish presidency recently published an update to the European Council of Ministers on its progress with the proposed framework, highlighting the presidency’s aim to instill a more risk-based approach, Hunton & Williams’ Privacy and Information Security Law Blog reports. In a press release, EU Justice Commissioner Viviane Reding and Telefonica’s Ronan Dunne stressed the significance of the proposed reform, while UK Information Commissioner’s Office Deputy Information Commissioner David Smith has promoted a “proportionate” take on it. TechWeekEurope has also reported that an EU source has said that UK government lobbying efforts to minimize privacy protections in the proposed regulation will not succeed. Meanwhile, GlaxoSmithKline’s Mina Mehta cautioned the reforms do not take into account the implications placed on smaller businesses. Editor’s Note: Two representatives from the UK’s ICO will speak at the IAPP’s Data Protection Intensive in London, April 23-25, and Mehta will speak in the breakout session To Be, or Not To Be Personal Data.
Full Story

ONLINE PRIVACY

Facebook Wants DPAs Back In; Adds New Targeted Ads (March 27, 2013)

As Facebook CPO for Policy Erin Egan discussed at the IAPP Global Privacy Summit, the company introduced yesterday targeted ads to its newsfeed that utilize a customer’s past browsing history, known as Facebook Exchange. Financial Times notes that this move raises new privacy fears. The news comes as Facebook wades further into the debate over the EU’s draft data protection regulation, with company officials telling EUObserver that some language could be a “huge disincentive for the companies to comply.” Further, Facebook strenuously supports the current role of DPAs heading up enforcement.
Full Story

SURVEILLANCE—UK

UK Proposals Would Require Vast Data Collection (March 27, 2013)

British security services say advances in technology have made tracking criminals increasingly difficult, Stuff.co.nz reports. In response, Britain is proposing surveillance laws that would require communications firms to collect and store vast amounts of data. The proposals have drawn the ire of human rights advocates and major corporations alike. A spokesman from Privacy International says companies’ disclosure of user data for police investigations isn’t the issue: "The problem is the Home Office want much more than that. They want these companies to record these activities just in case at some point in the future I may become a suspect. That's not the way things work in a democratic society."
Full Story

GEO PRIVACY

Report: Location Data Creates “Fundamental Constraints” on Privacy (March 26, 2013)
BBC News reports on a new study revealing that patterns of human movement are predictable enough to identify a specific smartphone user from four data points. The Scientific Reports study analyzed 15 months of human mobility data on 1.5 million users. In an age of ubiquitous mobile phone usage, aggregated datasets are coveted by advertisers, help map emergency services and fuel a new generation of social scientists. The report concludes, however, that “even coarse datasets provide little anonymity” to users. “These findings represent fundamental constraints to an individual’s privacy and have important implications for the design of frameworks and institutions dedicated to protect the privacy of individuals,” the study states.

PRIVACY LAW

Commerce’s Kerry: Privacy Regulation Should Not Be Barrier to Trade (March 26, 2013)

General Counsel for the U.S. Department of Commerce Cameron Kerry keynoted a well-attended data privacy seminar in his home state of Massachusetts yesterday. Kerry advocated for the fundamental underpinnings of U.S. President Barack Obama’s Consumer Privacy Bill of Rights and the general privacy blueprint he’s helped craft as co-chair of the Internet Policy Task Force and the National Science and Technology Council’s Subcommittee on Commercial Data Privacy but also expressed concerns about ways that EU privacy legislation may hinder efforts at interoperability by proposing things that are not technologically or commercially feasible.
Full Story

DATA PROTECTION

Westerman: Privacy Pros Need To Be Trust Pros (March 26, 2013)

In the first in a series of blog posts for the IAPP’s Privacy Perspectives, Create With Context CEO Ilana Westerman writes, “Businesses should stop focusing on privacy and start focusing on trust” and notes that fostering trust “will create value and revenue” for companies. Privacy professionals should become trust professionals, she notes, adding, “Privacy and trust are two sides of the same coin but lie at opposite ends of the emotional spectrum.”
Full Story

BIG DATA

Opinion: Is Anonymization Possible? If Not, Then What? (March 26, 2013)

Anonymization is intended to allow businesses to collect and use huge amounts of information while minimizing risks to consumers if, for example, a developer’s database gets hacked. But some studies say true anonymization is not possible. David Meyer opines in GigaOM that this level of data collection is not going to stop, “so we need to develop workable guidelines for protecting people. Those developing data-centric products also have to start thinking responsibly—and so do the privacy brigade. Neither camp will entirely get its way: There will be greater regulation of data privacy, one way or another, but the masses will also not be rising up against the data barons anytime soon.”
Full Story

ONLINE PRIVACY

Microsoft Discloses Requests for Data (March 22, 2013)
Microsoft joined the likes of Google and Twitter yesterday in releasing a report on its response to—along with the number and type of—requests for information it has received from law enforcement bodies around the globe. The UK, France, Germany, Turkey and the U.S. accounted for 69 percent of the 70,665 requests received last year, noted a summary of the report in The New York Times, and anyone is free to peruse the data in either pdf or Excel format. Eighty percent of requests resulted in disclosure of “non-content” information, such as name and e-mail address, while 2.2 percent resulted in the handover of customer content as well. Requests affected customers using such services as Hotmail/Outlook.com, Xbox Live and Office 365.

PRIVACY LAW—IRELAND

Insurer Ordered To Pay Breach Costs (March 21, 2013)

The High Court has ruled insurance company FBD had made a “clear and intentional breach” of the Data Protection Act, conducting itself in an “unacceptable” manner, reports The Journal. FBD refused to handle a customer’s claim based on confidential information concerning a previous conviction against him and did not disclose that information as required by the act, the report states. Justice Kevin Feeney awarded the claimant costs, ruling FBD failed to “exercise a duty of care” as required by the act.
Full Story

DATA PROTECTION—UK

New EU Regs May Mean 42.8m GBP Bill for UK (March 21, 2013)
With the onset of the new EU data protection regulations, the Information Commissioner’s Office (ICO) workload is expected to increase exponentially. Belfast Telegraph reports that Members of Parliament are now warning that this—combined with the elimination of some fees—could lead to a 42.8 million GBP funding gap to be shouldered by taxpayers. A major source of the ICO’s funding comes from fees required by the Data Protection Act 1998, but the data controller registration fee and a notification fee have been abolished in the new regulation. Justice Committee Chair Sir Alan Beith said, "Taxpayers will have to pick up the tab...unless the government can find a way of retaining a fee-based self-financing system."

EMPLOYEE PRIVACY—U.S.

Pharmacy Healthcare Policy Has Some Crying Foul (March 21, 2013)

ABC News reports on a new employee policy by CVS Pharmacy that requires all of the nearly 200,000 employees using its health plan to submit personal health data—including their weight, body fat and glucose levels—or pay a monthly penalty. No increase in health rates will affect those who disclose the information. Patient Privacy Rights Founder Deborah Peel said, “The approach they’re taking is based on the assumption that somehow these people need a whip, they need to be penalized in order to make themselves healthy,” and added, “It’s technology-enhanced discrimination on steroids.” CVS noted the plan is voluntary and that it would not see the test results. “The goal of these kinds of programs is to end up with a healthier workforce,” one expert said.
Full Story

PRIVACY LAW—FRANCE

CNIL Publishes 2013 Inspection Targets (March 21, 2013)

Following the 458 on-site inspections it carried out in 2012, the French data protection authority’s (CNIL) annual program for 2013 was published this week. Bird & Bird reports that the CNIL’s objective is to achieve approximately 400 inspections, with one-quarter related to CCTV systems and one-third reserved for the investigation of complaints received. “With respect to the CNIL 2013 program, there is a persistent interest from the CNIL for CCTV systems,” explained Bird & Bird's Gabriel Voisin. “However, operators will be pleased to see that the French data protection authority seems to have no appetite for enforcing the new cookie requirements.”
Full Story

PRIVACY

A Quick Guide to the DPI (March 21, 2013)

With three full days of programming, the IAPP’s Data Protection Intensive, happening April 23 through 25 in London, may look nigh-on-impenetrable, but members of the IAPP publications team will be gathering the news of what happens and have compiled this quick-reference guide to help focus your energies while there, whether you’re looking to better manage your risk, better understand the upcoming privacy landscape or network and get to know your fellow privacy pros better.
Full Story

CONSUMER PRIVACY—UK

ICO Levies 90,000 GBP Fine for Nuisance Calls (March 20, 2013)

The UK Information Commissioner’s Office (ICO) has fined a private-sector company 90,000 GBP for “thousands of unwanted marketing calls.” According to an ICO press release, this is the first time the agency has issued a monetary penalty for violations of the Privacy and Electronic Communications Regulations in relation to live marketing calls. Glasgow-based DM Design has been issued the fine for failing to check whether consumers had opted out of receiving marketing calls. ICO Commissioner Christopher Graham said the fine “sends out a clear message to the marketing industry that this menace will not be tolerated." In an exclusive for The Daily Dashboard, Field Fisher Waterhouse's Stewart Room, CIPP/E, explains why this is a significant development. Editor’s Note: Room will speak at the IAPP Data Protection Intensive next month in London, UK.
Full Story

ONLINE PRIVACY

Weigend: Big Data=Big Oil (March 20, 2013)

IAPP Data Protection Intensive Keynote Speaker Andreas Weigend knows Big Data. As former chief scientist at Amazon and now consultant on social and mobile technologies to global firms like Best Buy and Nokia, he’s working daily with firms to help them navigate what he calls the Social Data Revolution. “Big Data is a mindset,” he said in an interview with The Privacy Advisor. “It’s really how you think about interacting with data; it’s the questions you’re asking and the response time of getting answers and refining the questions.”
Full Story

ONLINE PRIVACY—U.S.

White House Changes Tune on Some E-mail Surveillance (March 19, 2013)
The Obama administration is easing up on its insistence that law enforcement should be able to access Americans’ e-mail communications without a warrant, but the Justice Department is issuing new proposals that would allow the government to have expanded surveillance rights over e-mails and Twitter and Facebook direct messages, CNET News reports. Electronic Frontier Foundation Staff Attorney Hanni Fakhoury said, “It’s like two steps forward and two steps back…I question how much they’re really conceding.” In an op-ed for POLITICO, Grover Norquist of Americans for Tax Reform and the ACLU’s Laura Murphy announced the launch of Digital 4th, proposing that all private communications stored online should have the same Fourth Amendment rights as any materially stored documents.

PRIVACY LAW—THE NETHERLANDS

Dutch Parliamentarian Questions Drone Use (March 19, 2013)

Police in The Netherlands are increasingly using remote-controlled helicopters to trace burglars and ferret out illegal marijuana crops, but now D66 Parliamentarian Gerard Schouw has asked the Justice Ministry to explain the implications of the use of these drones on privacy, reports DutchNews.nl. Further, Vincent Böhre of the group Privacy First has declared their use illegal, saying it’s a form of camera supervision prohibited by Dutch law.
Full Story

PRIVACY

Firm Launches Privacy and Free Trade Coalition (March 18, 2013)
In light of upcoming trade negotiations between the U.S. and EU and plans by Japan to join the Trans Pacific Partnership, Hogan Lovells has launched the Coalition for Privacy and Free Trade. The coalition intends to address non-tariff trade barriers brought on by differing data protection regimes and to promote global interoperability, Hogan Lovells’ Chronicle of Data Protection reports. The new group will be led by experts from the privacy and trade spheres, including former EU Ambassador to the U.S. Hugo Paemen, Hogan Lovells Partners Christopher Wolf—who recently wrote about privacy and free trade for the IAPP’s Privacy Perspectives—and Harriet Pearson, CIPP/US, and former White House Privacy Lead Daniel J. Weitzner. “Promoting greater interoperability between U.S. and EU privacy regimes can be a win for consumers on both sides of the Atlantic,” Weitzner said.
Full Story

MOBILE PRIVACY—EU

A29 Working Party Adopts Mobile Apps Opinion (March 15, 2013)

The Article 29 Working Party (A29WP) has released its joint opinion on mobile apps. The opinion outlines specific obligations of app developers and other parties—including app stores, advertising providers and operating system and device manufacturers—and pays special attention to apps targeting children. Noting that many apps collect a user’s photo album or location data, A29WP Chairman Jacob Kohnstamm said, “This often happens without the free and informed consent of users, resulting in a breach of European data protection law.”
Full Story

MOBILE PRIVACY—EU

A29 Working Party Adopts Mobile Apps Opinion (March 14, 2013)

In a press release, the Article 29 Working Party (A29WP) released its joint opinion on mobile apps. The opinion outlines specific obligations of app developers and other parties—including app stores, advertising providers and operating system and device manufacturers—and pays special attention to apps targeting children. Noting that many apps collect users’ photo albums or location data, A29WP Chairman Jacob Kohnstamm said, “This often happens without the free and informed consent of users, resulting in a breach of European data protection law.”
Full Story

PRIVACY LAW—EU

Scholars Defend Privacy Law (March 14, 2013)

In response to increased industry lobbying seeking to weaken the European Commission’s draft data protection law, more than 80 academics have signed an online petition in support of the proposed regulation at the Data Protection in Europe website, reports euobserver. “Pro-industry groups are pushing amendments into the regulation to help shape parliamentary committee opinion reports,” leading more scholars to defend the law in an effort to “help shift the debate away from the industry’s view,” the report states.
Full Story

ONLINE PRIVACY—EU

EC Consultation: Guidelines Needed for Internet of Things (March 14, 2013)

Respondents to a European Commission (EC) consultation on the “Internet of Things” (IoT) showed broad consensus in support of guidelines and standards for data protection in the IoT, reports Out-Law.com. However, among the more than 600 respondents, there was a distinct split between industry groups saying current regulations were adequate to govern IoT activities and civil society representatives calling for further legislation, the report states. The EC also published a fact sheet on data protection and information security that noted, “if IoT is not designed from the start” to include data protection rights such as the right of deletion and the right to be forgotten, “we will face the problem of misuse of IoT systems and consumer detriment.” Editor’s Note: Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, recently wrote “The Internet of Things and a Balanced Approach to Regulatory Intervention” in Privacy Perspectives, the IAPP’s new blog.
Full Story

CLOUD COMPUTING

Expert: Study Shows Cloud Market Is “Maturing” (March 14, 2013)

A study conducted on behalf of KPMG has shown implementation and integration issues outranking data security as the most raised issue in moving to the cloud, reports Out-law.com. According to KPMG, this is the first time data security has not been ranked as the most raised issue, and one expert points to that as a sign that “the cloud computing market is maturing.” Charles Park of Pinsent Masons says, "There is a clear change of mood…businesses are now discussing issues to do with implementing cloud strategies as opposed to giving reasons why they are not adopting cloud solutions,” he said, adding, “Regulators too are beginning to catch up and change their stance on cloud matters."
Full Story

SOCIAL NETWORKING

Study Indicates “Likes” Reveal Personal Data (March 13, 2013)

Research from England’s University of Cambridge indicates a person’s political leanings, age, gender and sexual orientation can be deciphered by studying their Facebook “Likes,” Forbes reports. The study is based on data from 58,000 Facebook users who volunteered. “The model correctly discriminates between homosexual and heterosexual men in 88 percent of cases, African Americans and Caucasian Americans in 95 percent of cases and between Democrat and Republic in 85 percent of cases,” the authors say, adding, the ability to predict individuals’ attributes based on behavior may have negative implications “because it can be easily applied to large numbers of people without obtaining their individual consent and without them noticing.”
Full Story

INFORMATION ACCESS—FRANCE

CNIL Launches Open Data Consultation (March 13, 2013)

The French data protection authority (CNIL) has initiated a consultation of “relevant private and public actors” to determine whether it should pursue an “Open Data” initiative, Hunton & Williams’ Privacy and Information Security Law Blog reports. Open Data is seen at national and EU levels to allow access to and the re-use of public-sector data, the report states. The UK and the European Commission have both launched Open Data portals. The CNIL’s consultation “is intended to improve its understanding of this movement and the consequences for the protection of personal data.”
Full Story

BIG DATA

Authors: The Risks and Benefits of Big Data (March 13, 2013)

Forbes chats with Viktor Mayer-Schönberger and Kenneth Cukier on the future of Big Data. The two are the authors of a new book, Big Data: A Revolution That Will Transform How We Live, Work and Think, which addresses both the risks and benefits of Big Data. Regarding privacy concerns, the authors say anonymization is not possible when it comes to Big Data. The two are more concerned with “predictive policing,” which may see the use of Big Data analysis to determine which geographic areas and groups to surveil based on the data-based likelihood a crime may be committed. The authors suggest frameworks, including data “expiration dates,” to protect against Big Data’s misuse.
Full Story

GENETIC PRIVACY

Report: DNA Samples Could ID Donors (March 12, 2013)

CSO reports on research indicating it could “be possible for anyone, even if they follow rigorous privacy and anonymity practices, to be identified by DNA data from people they do not even know.” Referencing a paper published in Science, the report discusses a process where DNA donors and their relatives could be identified “even without any demographic or personal information.” While laws barring “research institutes from releasing any demographic information about donors would protect patient privacy,” the report notes they would “eliminate the ability of researchers who have identified markers for a particular disease to also identify the ethnic or cultural background of those who might have it.”
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

Risk-Based Screening Draws Privacy Scrutiny (March 12, 2013)

The New York Times reports on plans to move air passenger screening to a more risk-based system fueled by large amounts of data collecting and sharing. The shift is supported by the travel industry and U.S. government officials, but civil liberties groups and some European regulators are concerned the new approach will compromise travelers’ privacy. The system will focus on identifying suspect travelers rather than suspect items and will use data from terror-watch lists, travel agencies and airlines—including birth dates, passport numbers and other confidential information. German Federal Commissioner for Data Protection and Freedom of Information Peter Schaar said any passenger data system should demonstrate it roots out terrorists, be proportional and avoid discrimination. “I question whether these proposals meet at least one of those,” he cautioned. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

ICO Expresses BYOD Privacy Concerns (March 12, 2013)

Following its annual conference in Manchester, UK, last week, the Information Commissioner’s Office (ICO) is expressing concern about the threat bring-your-own-device (BYOD) poses to data security and privacy, reports InformationWeek. The ICO released the results of a survey showing 47 percent of UK workers now use personal devices for business, yet less than 30 percent receive guidance from their employer regarding privacy and data security. The ICO has released a BYOD Guide dictating how employees should be instructed in handling personal information accessed and stored on their devices. "Employers must have adequate controls in place to make sure this information is kept secure," warned an ICO spokesman.
Full Story

PRIVACY LAW—EU

Reding on the Regulation: “All the Elements Are Falling Into Place” (March 11, 2013)
In her Intervention in the Justice Council on March 8, European Commission (EC) Vice President Viviane Reding discussed progress on the draft EU data protection regulation, calling it “significant and extremely encouraging.” Highlighting the regulation’s timeline moving forward, Reding said, “All the elements are falling into place to make decisive political progress on this critical dossier under the Irish (EU) presidency.” Reding's speech also includes points on risk-based approach, "SMEs and cutting red tape," public-sector flexibility and pseudonymous data, to name a few. “I am happy to work on the notion of pseudonymous data, but I will be vigilant,” she said. “We need a robust definition and robust safeguards. Pseudonymous data must not become a Trojan horse at the heart of the regulation, allowing the non-application of its provisions.”

PRIVACY

“Lifelogging” Camera Soon To Launch (March 11, 2013)

The New York Times reports on Swedish start-up Memoto’s wearable “lifelogging camera,” which automatically takes photos of the wearer’s surroundings. Worn on a collar, a jacket or like a necklace, the camera takes photos every 30 seconds. The photos will not immediately be available to share through social media, but the company’s founders hope to eventually pair the device with other data and tracking applications. The product raises some questions about privacy and data ownership, the report states. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Company Bringing Online Tracking Outside (March 11, 2013)

The New York Times reports on a three-year-old company using the same technology that has made “following people online” big business in order to track consumers “into the physical world.” Euclid Analytics uses businesses’ wireless antennas “to see how many people are coming into a store, how long they stay and even which aisles they walk,” the report states, noting the company “does this by noting each smartphone that comes near the store, feeding on every signal ping the phone sends.” In its three years, Euclid has tracked approximately “50 million devices in 4,000 locations.” (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY

Google Funds “Fashion Recognition” Research (March 11, 2013)

In late February, Google announced the funding of some 102 research projects focused on a variety of fields, from economics to policy standards and privacy. One such project, reports InformationWeek, is InSight, which could work with Google Glass and other mobile platforms to identify individuals “by their visual fingerprint, calculated through assessments of clothing colors, body structure and motion patterns.” The technology could offer an alternative to facial recognition and could be a temporary way, researchers say, to make oneself identifiable in a crowd.
Full Story

ONLINE PRIVACY

IAB “Strongly Opposes” Mozilla Move on Cookies (March 11, 2013)

Advertising Age reports on Interactive Advertising Bureau (IAB) Vice President and General Counsel Mike Zaneis’ message to IAB members on Mozilla’s plans to block third-party cookies by default. Zaneis said the IAB “strongly opposes this move,” calling it harmful to big companies, mom-and-pop small businesses dependent on digital advertising and users themselves. “Ultimately, it is bad for consumer privacy,” he wrote. “This action would break existing consumer choice mechanisms such as the Digital Advertising Alliance opt-out tool.” The message follows Zaneis’ comment last month calling the move a “nuclear first strike” against the ad industry.
Full Story

ONLINE PRIVACY—UK

Updated Street View Images Cause Concern (March 8, 2013)

One resident of a British neighborhood recently discovered images of his home and the homes of his neighbors on Google’s Street View mapping service after the residents had requested they be removed, reports The Telegraph. Google had removed the images after the 2009 request, but updated images of the neighborhood on the site include unaltered views of the homes. The residents now must reapply if they want images of their homes blurred. “Google is a technology company,” said one homeowner, adding, “it ought to be easy for them to ensure they keep blurring properties when they update the images.”
Full Story

PRIVACY

IAPP Unveils Westin Fellowship, Welcomes Tene To New Role (March 8, 2013)

The International Association of Privacy Professionals (IAPP) has unveiled the Westin Fellowship, named for privacy pioneer Alan Westin and intended to “encourage and enable research and scholarship in the field of privacy.” Recent graduates of undergraduate and graduate programs with high academic standing and a demonstrated interest in privacy may apply for and be awarded 12-month paid residencies at the IAPP and work on privacy research projects under the IAPP’s newly named VP of Research and Education Omer Tene.
Full Story

DATA PROTECTION

IAPP Launches Privacy Manager Certification (March 8, 2013)

Yesterday at the IAPP's Global Privacy Summit, the organization launched a companion certification to its long-standing CIPP: the Certified Information Privacy Manager (CIPM).
Full Story

PRIVACY LAW—EU

Reding Admonishes Lobbyists’ “Scaremongering” (March 7, 2013)

During a speech in Brussels yesterday on the European Commission’s draft proposal of a revised data protection regulation, EU Justice Commissioner Viviane Reding said lobbyists’ “predictions of doom are not justified. Data protection law has not fallen from the sky.” U.S. technology companies have lobbied for provisions of the draft to be removed entirely, including provisions on user consent. But Reding noted in her speech that all 27 national data protection authorities agree that consent should be explicit within the final regulation. “What will this mean in practice?...Hundreds of pop-ups on your screens? Smartphones thrown on the floor in frustration? No. It means none of these things. This is only the scaremongering of certain lobbyists,” she said. She added U.S. companies will be required to play by European rules. However, ZDNet reports that a year after its introduction and amidst such controversy, the commission may “water down” some aspects of the draft proposal. A number of member states—including the UK, Germany, Sweden and Belgium—have said the proposed rules are too prescriptive.
Full Story

SOCIAL NETWORKING—EU

Social Media Companies Answer Committee’s Questions (March 7, 2013)

Answering an Oireachtas committee investigating cyberbullying, Twitter’s policy director for Europe said user anonymity is a “fundamental value,” The Irish Times reports. Asked whether the company could identify users for law enforcement purposes, Twitter’s Sineád McSweeney said users are not required to disclose to the site their full names at any time. However, the company cooperates with law enforcement in cases involving a criminal offence, McSweeney said, adding such action required balance with “our commitment to the privacy of our users.” Facebook’s director of policy for the UK and Ireland told the committee the site requires users to register with their true identities, a policy Facebook’s European safety director said encourages responsible behaviour online.
Full Story

EMPLOYEE PRIVACY—GERMANY

Courts Clarify Data Rules (March 7, 2013)

Hunton and Williams’ Privacy and Information Security Law Blog reports on two recently published German court decisions clarifying German employee data law. The decisions “validate the independence of works councils in determining how to comply with data protection law and clarify when unused employee e-mail accounts can be deleted,” the report states. The Federal Labor Court of Germany held that a business cannot dictate how its works council complies with data protection law, and the Higher Regional Court of Dresden has clarified when businesses may delete e-mail accounts.
Full Story

SOCIAL NETWORKING

Carnegie Mellon Study: Facebook Users Shared More Over Time (March 7, 2013)

The Huffington Post reports on a Carnegie Mellon University study that followed the privacy practices of 5,076 Facebook users for six years. Researchers found that “during the first four years, users steadily limited what personal data was visible to strangers...” But after Facebook's changes to its platform in 2009 and 2010, users began to share more data with the public. Additionally, “even as people sought to limit what strangers could learn about them from their Facebook profiles, they actually increased what information they shared with their friends.” The researchers said the study’s results highlight “the power of the environment in affecting individual choices.”
Full Story

PRIVACY LAW—ITALY

Court: Service Providers Not Responsible for User Content (March 5, 2013)
Court documents have been released on the December ruling by a Milan court acquitting three Google executives on charges alleging violation of an Italian child's privacy after a video of the boy being bullied was posted on one of the company's websites. “The possibility must be ruled out that a service provider which offers active hosting can carry out effective, pre-emptive checks of the entire content uploaded by its users,” the court said in its ruling, adding such an obligation would impose a “pre-emptive filter on all the data uploaded on the network, which would alter its own functionality.”

DATA PROTECTION—EU

Reding and Aigner: Regulation Reform a “Historic Opportunity” (March 5, 2013)

EU Justice Commissioner Viviane Reding and German Consumer Protection Minister Ilse Aigner say the proposed EU General Data Protection Regulation is an “historic opportunity” to modernize existing data protection rules. Following a meeting in Brussels last week, Reding and Aigner issued a statement that now is the time to set the proper data protection standards to benefit both consumers and industry. “There must be no loopholes for social networking sites, app providers or online traders. We have to ensure that EU law also applies to service providers based outside the EU or to data which is stored in the cloud anywhere in the world.” Consumer choice is essential regarding the deletion of data, they added.
Full Story

ONLINE PRIVACY

The Shift from Regulatory Requirement to Selling Point (March 4, 2013)
The New York Times reports on privacy’s shift from a regulatory focus to a competitive differentiator for companies. Noting Microsoft’s recent efforts at protecting consumer privacy via its anti-tracking signal in its latest Internet Explorer browser, Prof. Joel Reidenberg of Fordham Law School said, “You’re seeing more companies trying to do that—develop privacy-protecting services.” Additionally, companies are applying standards to the entities they do business with; for example, Apple now requires applications to acquire user permission before tracking locations. Meanwhile, CNN reports federal Do-Not-Track efforts face “an uphill road.” (Registration may be required to access this story.)

DATA LOSS

50 Million Passwords Reset After Breach (March 4, 2013)

Online personal organizer Evernote has reset the passwords for all its nearly 50 million users after “suspicious activity” was discovered on its network, PC Magazine reports. The incident “appears to have been a coordinated attempt to access secure areas,” according to a company blog post. Though the investigation is ongoing, hackers did access a database containing users’ names, e-mail addresses and passwords. Evernote says it used one-way encryption to protect the data. Meanwhile, a new study has revealed that 41 percent of more than 12,000 respondents said it can take up to a week to respond to a breach, and 28 percent said they could respond in a day.
Full Story

ONLINE PRIVACY

Opinion: The Cost of Blocking Cookies (March 1, 2013)

Joshua Koran of the cloud marketing platform Turn writes for Advertising Age about the impact that blocking cookies would have not only on digital advertising but also on small publishers and consumer choice. “Nearly everyone agrees that we each have a right to privacy embedded in our own identity. But each of us is also a consumer of advertising-subsidized content, and that advertising relies on the use of anonymous data. Transparency and choice are two fundamental principles that underlie digital privacy guidelines. But how can users make informed choices if they don't understand the implications of their decisions?” Koran writes.
Full Story

PRIVACY LAW—EU & U.S.

Coviello: Laws Benefit Criminals, Not Citizens (March 1, 2013)

Chairman of security giant RSA Art Coviello told TechWeekEurope he believes current privacy legislation is too strict. He specifically points to European privacy laws, noting that he’s heard concerns from EU CEOs about contradictory laws making it impossible to effectively implement necessary data protection tools. In an effort to protect civil liberties, the EU in its privacy laws is allowing “criminals and others to trample those very same civil liberties,” Covielle said, adding, “we ought to be able to have a meaningful dialogue with people on both sides…the privacy people should see what I see, because it would scare the heck out of them.”
Full Story