European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW

CA Signs Do-Not-Track Disclosure Law, Plus Other Legal News (September 30, 2013)
In this week’s Privacy Tracker legislative roundup, read about California’s continued push toward privacy protections including Gov. Jerry Brown signing into law an amendment to the California Online Privacy Protection Act that requires websites to disclose in privacy policies how they react to Do-Not-Track signals, the passing of the “eraser law” and movement on a bill that would extend the employee social media law to public agencies. Meanwhile, a Minnesota court has determined the state is not responsible for an employee’s alleged inappropriate accessing of driver’s license records, and the Fourth U.S. Circuit Court of Appeals has ruled in favor of a former Virginia deputy sheriff saying his Facebook “Like” is protected by the First Amendment. Plus, read about legislative activity in the EU, Singapore, Australia and South Africa. (IAPP member login required.)

PRIVACY LAW—FRANCE

CNIL Says It Will Soon Fine Google (September 30, 2013)

CNET and other media outlets are reporting that France’s data protection agency, the CNIL, announced Friday it plans to sanction Google following the company’s refusal to meet its demands for changes to its privacy policy. The CNIL will now appoint a rapporteur to “initiate the possibility of sanctions, which could include fines.” The CNIL’s requests reportedly include asking Google to inform users about the purposes of its data processing, to define retention periods for the personal data processed and to get explicit consent for placing cookies. Google feels it already complies with European privacy law. A number of privacy industry members weigh in on the case’s importance.
Full Story

SURVEILLANCE

Spying Leads to Calls for “Privacy Havens” (September 30, 2013)

The Wall Street Journal reports today on new data privacy trends inspired by Edward Snowden’s NSA revelations, including a new “Email Made in Germany” service created by three of Germany’s largest Internet service providers. "We can say that we protect the e-mail inbox according to German law," says Jorg Fries-Lammers, a spokesman for one of the German companies, 1&1 Internet AG. "It's definitely a unique selling point." Facebook COO Sheryl Sandberg pronounced herself “nervous” about these kinds of developments. "It means fragmenting the Internet and putting the economic and social opportunities it creates at risk." President of Brazil H. E. Dilma Rousseff even went so far as to call for “the establishment of a civilian multilateral framework for the governance and use of the Internet and to ensure the effective protection of data that travels through the web” in a speech before the United Nations. The NSA news is leading to tech innovation as well. John McAfee announced this week he is developing personal gadgetry that will protect the user from NSA spying. (Registration may be required to access this story.)
Full Story

PRIVACY

Privacy Lessons from Berlin: An Exploration (September 30, 2013)

In the first installment of an investigative series for The Atlantic, Conor Friedersdorf writes about spending a week in Berlin exploring the question, “What can Germans teach us about privacy?” He questions, “Are German attitudes toward personal data protection spurring the country to refashion itself as a 'Cayman Islands of privacy’, or at least the leader of a Euro zone that reorients the Internet so that it's less NSA-accessible? How are German politicians who favor greater protection for privacy planning to proceed?” Friedersdorf suggests Berlin is “an important test case for Western nations as leaders and citizens decide how best to navigate the digital revolution and its implications for privacy.”
Full Story

BEHAVIORAL TARGETING—UK

MPs Give Data Harvesters “Green Light” (September 30, 2013)

Members of Parliament are giving companies that harvest personal data from Internet-connected devices “the green light … prompting disquiet over Parliament's commitment to protecting consumer rights,” Daily Mail reports. The House of Commons Culture, Media and Sport Committee noted in a report, “Increasing use is being made of personal data to target online advertising better … While concerns around this have prompted reviews of data protection legislation, we do not think the targeting of appropriate advertising—essential to so many business models—represents the greatest threat to privacy.” Consumer and privacy advocates caution, however, that consumers are losing control of their data, the report states.
Full Story

ONLINE PRIVACY

PGP Creator Warns About E-mail Privacy (September 30, 2013)

Creator of the e-mail encryption software PGP, Phil Zimmermann, has told The Guardian that users of consumer e-mail services should be aware of the threat of exposing their metadata. Zimmermann says his opinions on privacy have changed drastically in the more than 20 years since he invented PGP, noting “more recently … everyone has become aware that metadata is becoming increasingly important—that the message headers mean a lot.” These risks prompted him to develop a new feature for his Silent Phone app that encrypts conversations earlier in the call process, but the report states, in spite of PGP flaws “becoming clearer with time,” he maintains that PGP is holding up just fine.
Full Story

DATA PROTECTION—EU & UK

UK Asking Member States To Block Plans for Tighter Rules (September 27, 2013)

The UK will encourage other EU nations to block plans to tighten data protection rules, Bloomberg reports. Justice Secretary Chris Grayling said the proposals risk burdening business. “This is a debate to my mind about how much and how far can Europe continue to impose costs on business. The EU is unrealistic if it believes that imposing extra costs on business is not going to drive companies and jobs out of the EU in a world that is extraordinarily competitive.” Plans to revise data protection rules will be debated in Luxembourg on October 7.
Full Story

PRIVACY REGULATION

Frameworks Emerging Around the World, But Is Enforcement? (September 27, 2013)

AdAge reports on privacy frameworks in regions around the globe—particularly in Latin America and India. Nations including Chile and Brazil are currently exploring new data protection rules, similar to that of the EU, which consider privacy as a human right. India is also grappling with emerging privacy issues, even though culturally, “Your expectation of privacy is nil,” one expert said, adding, “The Indian outsourcing industry needs to instill a sense of confidence … in how it respects U.S. and EU data.” VP of Privacy Certified at the Entertainment Software Rating Board Dana Fraser said when navigating global privacy rules, “We have to figure out what’s the highest bar we have to uphold … It can actually impact your rollout dates for an app.” Several privacy experts agreed, however, that enforcement is a hurdle outside the U.S. “I think it is true that the U.S. enforces more than anyone else,” Covington & Burling’s Matthew DelNero said.
Full Story

DATA PROTECTION

From Poland, DPAs Prepare To Join Forces (September 26, 2013)

In an exclusive for The Privacy Advisor, Sam Pfeifle reports from the 35th Annual Conference of Data Protection and Privacy Commissioners in Warsaw, Poland. Pfeifle notes that from the outset, “the collective DPAs intended to show a united front and that they mean business.” As Polish Minister of Administration and Digitization Michel Boni said in his keynote, “We need regulations. Hard regulations.” But only one subject hung over the event more than whistleblower Edward Snowden: The upcoming European Data Protection Regulation and what the future of privacy enforcement will look like. Nearly every presentation contained some disclaimer about how things will change once the regulation comes into place. The form it will take in the end? No one can confidently predict that. The fact that it’s needed? On that there is universal agreement.
Full Story

GEO PRIVACY—UK

Motorist Tracking Raises Concerns (September 26, 2013)

Privacy advocates are voicing concerns over reports of the Highways Agency “collecting huge amounts of data from phone companies and other firms that log clients’ location,” Daily Mail reports. While officials have said the information, which is used to help avoid traffic issues, is anonymous, Big Brother Watch’s Nick Pickles commented, “This is yet another example of how our lives are being monitored at an extremely detailed level … People will probably have no idea that this information is being used by the Highways Agency.” A Highways Agency spokesman said, “No individual person, vehicle or device will be identified as only on-road traffic data is used.”
Full Story

BEHAVIOURAL TARGETING

Tesco To Share Consumer Data With Start-Ups (September 26, 2013)

Retailer Tesco plans to share consumer data collected from more than 400 million homes worldwide with start-ups through an investment fund started by its daughter company Dunnhumby, The Irish Times reports. The shared data will be used to design products for retailers and consumers. Dunnhumby Global Head of Investments Dave Balter said, “We’re interested in what technologies will shape the future of retail, and we’re looking for start-ups from Ireland, the U.S. and all across the globe.” Balter noted that collected data is anonymised, adding, “In terms of personally identifiable data, we are not interested in you personally but more interested in the market segmentation of, say, families with three kids.”
Full Story

PRIVACY RESOURCES

Guidance and Research on De-identification (September 26, 2013)

In the fall of 2012, both the U.S. HHS Office for Civil Rights (OCR) and the UK Information Commissioner’s Office (ICO) published guidance on data de-identification. The OCR guidelines intend to clarify how to interpret the U.S. HIPAA Privacy Rule's de-identification standards and provide certainty on some of the issues creating confusion among covered entities. The ICO code of practice provides a set of general principles and specific techniques that can be applied. This Close-Up provides insight on this guidance and research to help you get a better understanding of the challenges and benefits of de-identification in all its forms.
Close-Up: De-Identification

DATA GOVERNANCE

Is Your Biz Viewing Privacy Through the Right Lens? (September 26, 2013)

For many consumers and businesses, privacy and data protection remain a top concern, “But are business leaders looking at the glass half empty?” asks PricewaterhouseCoopers Data Protection and Privacy Manager Rafae Bhatti, CIPP/US. “By considering only what privacy safeguards can prevent—customer loss, brand damage, fines and litigation—they are missing a big opportunity,” he writes. In this post for Privacy Perspectives, Bhatti provides some suggestions on what companies can do to “find the right balance between protecting data and enabling its use in new ways.” Editor’s Note: PwC’s Aaron Weller, CIPP/US, CIPP/IT, will speak in the breakout session “How To Get the C-Suite on Board (and Make Them Think It Was Their Idea)” at next week’s IAPP Privacy Academy in Seattle, WA.
Full Story

WEB CONFERENCE

Where Security Meets Privacy (September 25, 2013)

The relationship between IT security and privacy teams within organizations should ideally be a strong one—with clear communication channels and responsibilities—but this is rarely the case. Competing demands, siloed cultures and even competition for budget can all contribute to produce a less-than-ideal partnership. Join panelists Jonathan Fox, CIPP/US, CIPM, of McAfee, Co3 System’s Gant Redmon and Navigate’s Chris Zoladz, CIPP/US, CIPP/E, CIPP/G, CIPP/IT, on October 17 from 1 to 2:30 p.m. EDT to gain tips and insights into how you can improve this working relationship at your organization.
Full Story

PRIVACY LAW—EU & U.S.

MEPS: Stop TFTP Agreement in Its Tracks (September 25, 2013)

European politicians have demanded that a broad data-sharing agreement between the U.S. and EU be suspended, PCWorld reports. The demands to halt the Terrorist Finance Tracking Program (TFTP) at Tuesday’s hearing of the Civil Liberties Committee follow allegations that the U.S. National Security Agency illegally tapped banking data, the report states. "We have no evidence that they have actually been doing this, but they don't deny it either. So in a way it is irrelevant whether they have used the opportunity so far, because they will continue to reserve that right in the future," said Dutch MEP Sophie in’t Veld, adding she considers the agreement to be “effectively dead.”
Full Story

BIG DATA

“Master Profiles” Will Connect Online, Offline Data (September 24, 2013)
Financial Times reports that Acxiom has launched a new system designed to combine consumers’ offline and online activities, which then processes the collected data using algorithms. The data is then made available to marketers for behavioral targeting and personalized ads on mobile, the web and eventually television, the report states. Acxiom Chief Technology Officer Phil Mui said, “We are making big marketing data truly actionable.” The new system is a significant shift for targeted advertising as the system—which features a new identifier to match user profiles—allows marketers to track users across devices into one profile instead of multiple profiles based on a given device. Editor’s Note: Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, will speak in the breakout session Taming Big Data at next week’s IAPP Privacy Academy in Seattle, WA. (Registration may be required to access this story.)

BIG DATA

The Misconceptions of Defining Data Brokers (September 24, 2013)

“The marketing industry has come under fire recently for its use of consumer data to provide ads and offers,” writes Epsilon Privacy Manager Nicole Tachibana, CIPP/US, adding, “There are a number of misconceptions at the heart of the issue.” She notes that Federal Trade Commissioner Julie Brill has said that data brokers are using user profiles to “determine the rates we pay (and) even what jobs we get.” In this Privacy Perspectives post, Tachibana writes, “However, the reality is that marketing data brokers use information for marketing purposes only,” and she parses out misperceived definitions of what marketing data brokers do with consumer data.
Full Story

CLOUD COMPUTING—EU & U.S.

Reports Call for EU Cloud, Student Data Protection (September 24, 2013)

A report commissioned by the European Parliament suggests the EU-U.S. Safe Harbor Framework does not protect against U.S. interception of European citizen data processed in the cloud and “urges the European Union to encourage development of local cloud computing capacity based on open source software as a way of safeguarding against U.S. intelligence community surveillance,” Fierce Government IT reports. Meanwhile, a SafeGov.org report “shows broad support for safeguarding especially vulnerable cloud user populations in public organizations, such as schoolchildren, civil servants and healthcare professionals and their patients, who are at risk of being tracked and profiled for online advertising purposes.” A U.S. lobbying group is proposing a code of conduct to prohibit “user profiling and data mining by cloud services used by European schools.”
Full Story

PRIVACY

On What Rock and Privacy Might Have In Common (September 23, 2013)

Near the end of the 1960s, rocker Jim Morrison and The Doors recorded a blues jam called “Rock is Dead.” The phrase, however, isn’t particular to the music world, as it’s a phrase often spoken when discussing privacy, “especially in light of what some are calling the ‘Summer of Snowden,’ which has brought on a new chorus of reports, blogs and posts exclaiming the death knell of privacy,” writes Jedidiah Bracy, CIPP/US, CIPP/E. Though our world is rapidly changing in many ways, some things stay the same, highlighted in part by a Newsweek cover story from 1970 asking if privacy is dead. This Privacy Perspectives post explores that article and excavates many of the similar arguments and concerns that still resonate today.
Full Story

BEHAVIORAL TARGETING

Industry Reacts to Google Cookie Alternative (September 20, 2013)

The Wall Street Journal reports on the ad industry’s reaction to an unofficial proposal by Google to replace cookies with an anonymous identifier (AdID) system. Advertising executives, ad technology firms and analysts say that changing how consumers are tracked online would significantly affect the $120 billion industry. Interactive Advertising Bureau President Randall Rothenberg said, “This would be anticompetitive and potentially negatively impact all other online publishers.” Financial Times has published a Q&A to explore the proposed cookie alternative, and AdAge has posted a video with some industry reaction. Independent researcher Ashkan Soltani has posted a blog answering some questions on the AdID proposal. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU & UK

Opinion: Industry Actually Wants Regulators With More Powers (September 20, 2013)

In an opinion piece for The Guardian, UK Direct Marketing Association Chairman Scott Logie says as the European Parliament prepares to vote on data regulation in October, it’s “time for a rethink on how we tackle this problem” in the UK. From a business perspective, the final proposals are not expected to be favorable, Logie writes, citing a weak Information Commissioner’s Office that “no one really fears” and calling for a stronger enforcement agency and clear guidelines about how to establish trust-based agreements between businesses and their consumers. His comments echo Canadian Privacy Commissioner Jennifer Stoddart’s call this week for stronger enforcement powers.
Full Story

BIOMETRICS

Facedeals To Use Facial Recognition for Targeted On-Site Advertising (September 20, 2013)

In an interview with MarketingLand, Facedeals CEO Dave McMullen says his company will soon be offering an opt-in service where consumers can select preferences ahead of time and then be offered deals via a text to their phones when cameras at establishments recognize their faces. In addressing privacy concerns, McMullen says the “double opt-in” service—the downloading of the app and then the process of registering—“ensures no one is signed up without their permission.” Further, he said privacy is already being infringed upon by every phone noting your location, camera recording your likeness and credit card transaction tracking your purchases. Why shouldn’t the consumer get something out of the deal?
Full Story

PRIVACY LAW—FRANCE & EU

French Proposal Aims To Boost EU Tech Firms (September 20, 2013)

France is pushing for the EU to adopt proposals that would see technology companies such as Google and Facebook regulated and taxed where customers use their websites, Financial Times reports. The proposals “could put Europe at loggerheads with the U.S., which has previously reacted angrily at attempts to impose greater regulation on the Internet.” Fleur Pellerin, France’s digital economy minister, said the campaign does not target American companies—though they are the ones on top, currently—but aims to “boost the ability of European actors to develop in Europe and gain positions that can compete on the same level playing field as the other international actors.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE

Group Wants Countries To Disclose Data Requests (September 20, 2013)

Privacy advocates, human rights groups and tech companies are asking 21 countries to release information on their surveillance requests, The Hill reports. The Global Network Initiative includes such companies as Facebook, Google and Microsoft and said in letters to the members of the Freedom Online Coalition—a group of 21 countries working together to advance Internet freedom—that governments should release the data and allow the tech companies asked to respond to such requests to do the same.
Full Story

PRIVACY LAW—EU

NSA Revelations Prompt Calls for EU Privacy Law (September 19, 2013)

Amidst recent reports on the U.S. National Security Agency (NSA) surveillance programs—including news of “Dishfire,” which collects information on credit card transactions from 70 banks worldwideV3.co.uk reports on calls from European Commission Vice-President Viviane Reding on the EU’s need for a cross-national data protection law. Reding “made the call to arms during a speech in which she claimed the region's economy will suffer unless new uniform data protection laws are created,” the report states. The recent Dishfire reports, meanwhile, indicate the NSA targeted transaction information from large credit card companies on customers in Europe, the Middle East and Africa.
Full Story

PRIVACY LAW—EU

Preparing for Data Inspections and Audits (September 19, 2013)

In a feature for Bloomberg Law, Morrison & Foerster’s Karin Retzer and Joanna Lopatowska offer a guide to preparing for and handling data protection audits and inspections. Citing recent figures on DPA audits, they write, “Companies need be proactive and take steps to dealing with a data protection audit. Any regulatory inspection is a burdensome undertaking, and inspections carry the risk of noncompliance being exposed, sanctions, adverse media attention and damage to reputation.” Retzer and Lopatowska examine why organisations are audited, what the general legal framework and jurisdictions are and how to prepare for and handle inspections, among other recommendations.
Full Story

DATA PROTECTION—UK

ICO Releases PECR Notification Guide (September 19, 2013)

The UK Information Commissioner’s Office (ICO) has released a new 13-page guide to public electronic communication service providers to help explain when such companies are obligated to report personal data breaches, Out-Law.com reports. Telecoms would be required to submit monthly reports to the ICO laying out all the security breaches sustained. This ICO did say such reports could be disclosed under Freedom of Information Act requirements. "Strictly speaking, PECR (Privacy and Electronic Communications Regulations) does not require this monthly return," the ICO said. "However, we believe that this remains a useful exercise as it will demonstrate that service providers are monitoring their security properly and taking their responsibilities seriously. If we do not receive a monthly return from a service provider, this may trigger further investigation."
Full Story

CLOUD COMPUTING—EU

MEP Says Europe Should Invest in EU Cloud (September 19, 2013)

Dutch Green MEP Judith Sargentini has said Europe should invest in an open-sourced, highly secure cloud platform to protect the data of European citizens from snooping governments around the world, Business Cloud News reports. “The Euro Parliament gives a clear signal to (Neelie) Kroes that its purely business approach to cloud computing is totally inadequate,” Sargentini said. “They see the business benefits of the cloud but completely miss the implications for privacy and the enormous risks of economic and political espionage.” In other cloud computing news, Sweden’s data protection authority has ordered a Stockholm-based municipality to cease using Google Apps because it may contravene Sweden’s Data Protection Act.
Full Story

SURVEILLANCE—GERMANY

Schaar: Intelligence Agencies Need To Be Transparent (September 19, 2013)

Peter Schaar, Germany’s data protection commissioner, has said that intelligence organisations ensconced within a “wall of silence” must become more transparent so that citizens can comprehend their work instead of only listening to whistleblowers, Deutsche Welle reports. “That is decisive for trust in democracy,” he said, “which is damaged when this transparency just does not exist.”
Full Story

DATA LOSS—SWITZERLAND

NZZ Acknowledges Possession of Swisscom Data (September 19, 2013)

Neue Zürcher Zeitung (NZZ) was in possession of data tapes from Swisscom’s data centres, Light Reading reports. “The records concerned are apparently backup files from 2008 to 2010 containing internal Swisscom data, including e-mails. It is still not clear to Swisscom whether customer data are also stored on these data carriers,” the report states, noting the tapes were “handed over to the NZZ editorial team by a person unknown to Swisscom.” The tapes have been returned to Swisscom and are being analysed, the report states. Swisscom has “instigated legal proceedings against persons unknown and informed the Federal Data Protection Commissioner about the incident.”
Full Story

DATA LOSS—UK

Bureau Inadvertently Publishes PII (September 19, 2013)

The Citizens Advice Bureau (CAB) mistakenly published more than 1,300 files to its main website, The Northern Echo reports. Published data included names, addresses, debt histories and criminal records and staff login details. The Information Commissioner’s Office is looking into the incident.
Full Story

ONLINE PRIVACY

Study: Whois System’s Privacy Controls Being Abused (September 19, 2013)

A new study commissioned by the Internet Corporation for Assigned Names and Numbers (ICANN) indicates the Whois system’s current ad hoc privacy controls are being abused, ZDNet reports. ICANN—a pseudo-directory of contact details for domain names—is recommending the Whois system be replaced to include authenticated access. Currently, contact details for administrators of a domain are publicly available, prompting domain name owners to provide false information.
Full Story

ONLINE PRIVACY

Is Google Set To Do Away with Cookies? (September 18, 2013)
USA TODAY reports on a potential move by Google to replace third-party cookies with a new anonymous identifier (AdID) that would allow advertisers to track Internet browsing activity for marketing. The AdID would be communicated to online advertisers and ad networks that have aligned with agreed-upon guidelines in the attempt to give consumers more privacy and control as they browse the Internet. Though the program has not been officially announced by Google, a spokesman said, “Technological advancements can improve users’ security while ensuring the web remains economically viable. We and others have a number of concepts in this area, but they’re all at very early stages.” According to the report, Google plans to reach out to industry, government agencies and consumer groups in the near future.

PRIVACY TECHNOLOGY

Why Privacy Pros Must Embrace Technology (September 18, 2013)

“As privacy professionals, we have the opportunity to help companies restore the balance in the personal data ecosystem by considering the business needs of our employers as well as those of the individual,” writes UnboundID Product Marketing Director Nick Crown, CIPP/IT. To provide more user control over personal data, “our industry needs to look beyond static, ‘detective’ approaches to privacy practices,” he notes, and “embrace technology as an enabler of preventative privacy controls.” In this installment of Privacy Perspectives, Crown presents four phases that outline how businesses can better provide transparency, choice and control to their customers in relation to the collection, processing and transfer of their personal information.
Full Story

PRIVACY RESOURCES

Consumer-Facing Privacy Policies: What Should Yours Look like? (September 18, 2013)

With privacy becoming more of a competitive advantage in business, it’s important that organizations communicate their data collection and handling practices with consumers in an easily digestible manner. But with the amount of legal jargon in most policies, many consumers don’t read them, or if they’ve tried, they can’t understand them anyway. In this IAPP Resource Center Close-Up, see examples of successful policies, guidance on creating plain-language and layered policies and what to pay attention to when making changes to your policy. (IAPP member login required.)
Close-Up: Creating a Privacy Policy

MOBILE PRIVACY

Operator Calls for Consistent Privacy Approach (September 18, 2013)

Mobile operator Vodafone is calling on the app development community to take the lead in communicating to consumers a consistent set of privacy guidelines similar to nutrition labels used by the food industry, Marketing Week reports. Vodafone Global Privacy Counsel Kasey Chappelle said the company is telling mobile app developers and other third parties to help safeguard consumer privacy and to communicate how data is collected and shared with advertisers. Vodafone is lobbying third parties through trade organizations such as the GSMA and the Mobile Entertainment Forum, the report states.
Full Story

ONLINE PRIVACY

Tumblr Inks Deal With Analytics Biz (September 17, 2013)

TechCrunch reports that Tumblr has signed a deal with analytics company DataSift, a move that could give advertisers more knowledge of what is posted on the site and boost Tumblr’s advertising sales. DataSift will have access to all of Tumblr’s real-time and historical data. DataSift currently has similar deals with Twitter and Facebook. Meanwhile, a report suggests that Google may have access to the WiFi passwords of every Android user, and, “Considering how many Android devices there are, it is likely that Google can access most WiFi passwords worldwide.”
Full Story

SOCIAL NETWORKING

Will Going Public Diminish Privacy on Twitter? (September 16, 2013)

News that microblogging site Twitter plans to go public has prompted some to ask whether certain privacy functions on the site will have to go by the wayside to help generate revenue. Blouin News reports the company plans to exact a $15 billion IPO on $500 million of revenue and, to help boost its bottom line, Twitter may have to do away with its Do-Not-Track option. The report also questions whether Twitter may cease publishing its transparency reports and how much it will comply with foreign government requests to remove or share user data. “As the social media company executes its plans to expand abroad,” the report states, “it has much less of an incentive to get into spats with foreign governments over user data.”
Full Story

PRIVACY LAW

Tracker Global Round-Up: Old Laws Reinterpreted; New Laws on the Way (September 16, 2013)

A U.S. District Court cited the Stored Communications Act as protecting “friend-only” posts on Facebook; one expert questions whether the False Light Tort is still relevant, and Apple’s new fingerprint authentication could bring up interesting questions about invoking the Fifth Amendment when it comes to accessing biometrically protected data and devices. Read about these developments plus more on HIPAA, California’s leading role in privacy legislation, breach notification in the EU and Brazil’s struggle to pass a privacy law in this week’s Privacy Tracker weekly legislative roundup. (IAPP member login required.)
Full Story

PRIVACY

A Look at the “Age of Context” (September 16, 2013)

In an article for Forbes, Rawn Shah reviews Age of Context: Mobile, Data, Sensors and the Future of Privacy by Shel Israel and Robert Scoble. The book looks at the state of technology in 2013 with regard to healthcare, transportation, mobile devices and understanding customers, among others. Context is important when it comes to wearable technologies, the book notes. The kind of information collected, how its processed and cross-referenced with other sources and the responses they produce are all important questions, the authors note, calling such data points “Little Data.” Editor’s Note: Sam Pfeifle interviewed Israel last month in anticipation of his keynote address at IAPP Privacy Academy, in Seattle, September 30 to October 2. The interview contains a free download of the book’s chapter on privacy.
Full Story

SURVEILLANCE

Law Enforcement Surveillance Tools Abound (September 16, 2013)

Ars Technica reports on BlueJay—a “Law Enforcement Twitter Crime Scanner.” The program provides real-time access to the “firehose” of public tweets so police can track suspects, keywords, locations, public events, social unrest and department mentions. The Verge reports on Italian-based firm Hacking Team and how the small tech security firm started from two programmers who created a suite of hacking tools. The Milan police eventually contacted the programmers with the intent of purchasing their hacking tools. Hacking Team now boasts 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.” Meanwhile, a recent Foreign Intelligence Surveillance Court opinion states the Edward Snowden leaks “have engendered considerable public interest and debate about Section 215.”
Full Story

DATA PROTECTION—EU

Which Laws Govern Online Personal Data? (September 12, 2013)

In an Out-Law.com podcast, experts from Pinsent Masons examine a recent dispute between Facebook and the German province of Schleswig-Holstein to uncover the burgeoning jurisdictional issues of who governs users’ online data. “We put more and more information about ourselves online,” the report states, “and in Europe remain confident that strong data protection laws apply. But whose law, exactly, does control the use of information about us? And how is that question decided?”
Full Story

PRIVACY LAW—EU

The Future of Dealing With Data Breaches (September 12, 2013)

The Lawyer reports on the European Commission’s draft data protection regulation and the mandatory reporting of data security breaches. “Organisations would have to inform the relevant data protection authority (DPA) of a breach ‘without undue delay and, where feasible, not later than 24 hours of becoming aware of it,’” the report states, highlighting key provisions in the draft. “Most obviously, in the current draft there are no exceptions to the requirement to notify data security breaches to DPAs. This means that every security breach, no matter how insignificant, will, in theory, have to be reported,” the report states. (Registration may be required to access this story.) Editor's Note: Laura Vivet Tañà, CIPP/US, CIPP/E, examines the EU data breach notification rule in a recent feature for The Privacy Advisor.
Full Story

SURVEILLANCE—GERMANY & U.S.

German DPAs Pass Resolution on PRISM, Other Programs (September 12, 2013)

The Federal Commissioner for Data Protection and Freedom of Information and 16 German state data protection authorities (DPAs) have passed a resolution on the PRISM, Tempora and XKeyscore surveillance programs, reports Hunton & Williams’ Privacy and Information Security Law Blog. The DPAs said more should be done to understand the scope of the programs and whether German federal authorities illegally shared personal data with other countries. The DPAs call for the development of national, European and international laws to ensure privacy is fully protected, provide more safeguards when it comes to IT systems and a review of the EU-U.S. passenger name records agreement.
Full Story

DATA PROTECTION—UK

ICO Says No to MP List of Rogue Detectives (September 12, 2013)

MP Keith Vaz has written to Information Commissioner Christopher Graham to confirm a list of insurance companies, lawyers and finance businesses that have employed the services of “rogue” private investigators will not be published pending the outcome of a "scoping exercise" by the Information Commissioner's Office (ICO), Express & Star reports. Graham had joined law enforcement in criticising a prior decision by MPs to publish the list, saying, “It's not clever to start a criminal investigation by publishing the names of everyone and everything you're investigating. That's why we've stated we're not publishing the list at this stage, and why I've written to Keith Vaz MP to urge similar patience on the part of his select committee.”
Full Story

DATA PROTECTION—IRELAND

Hawkes’ Tenure and the Changes He’s Seen (September 12, 2013)

Being the European home of big tech firms like Facebook, Google and Apple, to name a few, puts Ireland—and particularly Ireland’s Data Protection Commissioner Billy Hawkes—in a unique position at a time when information privacy is reaching a fever pitch. Silicon Republic reports that when Hawkes took office in 2005, he was mainly focused on the data protection and marketing practices of Irish organisations. Fast-forward to 2011, and his office was heading up an independent audit of all of Facebook’s activities outside the U.S. Now, new challenges arise every day, and Hawkes says, “If you are not listening, then we have powers to force you to comply with legal requirements.” Editor’s Note: Read Angelique Carson’s interview with Billy Hawkes here.
Full Story

INFORMATION ACCESS—UK

Wales Council Signs Undertaking Over SARs (September 12, 2013)

The Cardiff City Council has signed an undertaking with the Information Commissioner’s Office (ICO) after a review of the council’s practices found that it was not properly complying with Subject Access Requests (SARs), reports Out-Law.com. The council committed to clearly defining and managing SAR procedures and training staff in them, as well as putting in place “appropriate checks and supervision” to ensure third-party data is handled according to the Data Protection Act. The ICO review stemmed from a complaint stating that after submitting a SAR, the complainant had not received a reply within the 40-day statutory timeframe.
Full Story

DATA PROTECTION—IRELAND

DNA Bill Leans Toward Destruction (September 12, 2013)

Minister for Justice Alan Shatter has published a bill on the establishment of a national DNA database, Irish Times reports. The bill takes into account privacy concerns about earlier versions of the bill on destruction of samples and deletion of DNA profiles, among others. Shatter’s bill would allow authorities to take DNA samples from most criminal suspects but the default would be in favor of the destruction of such samples when an individual is not convicted.
Full Story

PRIVACY LAW—EU

Opinion: Existing Rights Apply Online (September 12, 2013)

In a feature for New Europe, MEP Christian Engström writes about online privacy, suggesting the solution is to apply the offline laws already in place. “When we send a letter in the mail, its privacy is strictly safeguarded by laws, checks and balances,” he writes, suggesting, “If politicians want to be taken seriously by the digital citizens, it is time to start applying the rights and laws that we already have to the world they live in.” The solution is a simple one, where “not a single letter of the law needs to change. It’s just a matter of respecting communication on the Net just like we already respect the physical letter and the phone call,” Engström writes.
Full Story

PRIVACY ENGINEERING

Is 2013 the Year of the Privacy Engineer? (September 12, 2013)

With the recent introduction of a new master’s degree by Carnegie Mellon and an influx of privacy engineering job openings by large tech firms, will this be the year of the privacy engineer? “Though the term privacy engineering has been around since at least 2001,” writes Robert Jason Cronk, CIPP/US, “only recently has the computer science community tried to use it in a concrete and systematic way.” In this Privacy Perspectives post, Cronk, a privacy engineering consultant for Enterprivacy Consulting Group, delves into the work of privacy engineers and why they “must be in place to identify user-centric risks and help design solutions” to help organizations mitigate risks while improving data flows. Editor’s Note: Cronk, along with MITRE’s Stuart Shapiro, CIPP/US, CIPP/G, will lead the preconference workshop Privacy Engineering Primer later this month at the IAPP’s Privacy Academy in Seattle, WA.
Full Story

PRIVACY RESOURCES—EU

Insight on the EU Data Protection Regulation (September 12, 2013)

The EU Data Protection Regulation offers a new framework for the protection of individuals with regard to the processing of personal data and how that data is shared. This regulation will, if passed, supersede the EU Data Protection Directive and has caused much debate, controversy and discussion. In this IAPP Resource Center Close-Up, you’ll find links to the proposal, the directive, Article 29 Working Party opinions, related reports and communications as well as analysis and guidance offering, in essence, a history of the ongoing process of the implementation of the directive and the forming of the regulation.
Close-Up: EU Data Protection Regulation

ONLINE PRIVACY

Which Companies Top the ‘Privacy-Friendly’ List? (September 12, 2013)

Forbes reports on the “most privacy-friendly companies” according to privacy experts. Lee Tien of the Electronic Frontier Foundation cites Microsoft, Google, Tumblr and Facebook, while Chris Hoofnagle of Berkeley’s Center for Law & Technology cites B2B services “such as Salesforce, which explicitly says that the data you load into their service is yours, that you can encrypt it and that they will never sell it.” Boston attorney Sarah Downey says Twitter’s “Do-Not-Track” policy puts it at the top, and a number of experts cited companies such as DuckDuckGo, which doesn’t track users’ searches.
Full Story

DATA THEFT—GERMANY

Hacker Accesses Two Million Vodafone Accounts (September 12, 2013)

Bloomberg reports that an intruder “with insider knowledge” hacked into a Vodafone server located in Germany and gained unauthorized access to approximately two million customer accounts. Compromised personal information include names, addresses, dates of birth and bank account information but did not include credit card information, passwords, PIN numbers or phone numbers, according to a company statement (in German). According to the report, Vodafone shares fell 0.8 percent yesterday. The attack was detected earlier this month and was halted.
Full Story

SURVEILLANCE

NSA Fallout Continues; Latest News Involves Israel (September 12, 2013)

The U.S. National Security Agency (NSA) continues to make headlines, most recently with a report that the NSA “routinely shares raw intelligence data with Israel without first sifting it to remove information about U.S. citizens,” The Guardian reports. Citing a document released by Edward Snowden, the report describes an intelligence-sharing deal between the NSA and its Israeli counterpart. Meanwhile, Yahoo CEO Marissa Mayer and Facebook’s Mark Zuckerberg are hitting back at critics of tech companies, saying U.S. government did a "bad job" of balancing people's privacy and duty to protect. Tech executives did not tell the public about the NSA surveillance because, Mayer said, "Releasing classified information is treason” and would mean incarceration.
Full Story

BIOMETRICS

U.S. To Expand Data Sharing Overseas (September 12, 2013)

The Department of Homeland Security plans to expand foreign biometric data sharing, FCW reports. The Office of Biometric Identity Management (OBIM), now five months old, will use a $33 million contract with Accenture to decrease the time, cost and personnel required to share U.S. biometric data with the UK, New Zealand, Canada and Australia. OBIM provides biometric data to federal, state and local governments to deal with immigration violators, criminals and known or suspected terrorists, OBIM’s deputy director said, adding it aims to improve biometric data-sharing and increase interoperability among the U.S. Departments of Defense, Justice and State. Meanwhile, the U.S. and Japan seek to formalize an agreement on sharing fingerprints of convicted criminals.
Full Story

BIOMETRICS

Apple Releases Include Fingerprint Sensor (September 11, 2013)

The New York Times reports on Apple’s release of two new iPhones Tuesday, including a model with a fingerprint sensor that can be used instead of a passcode. In response to privacy concerns, Apple says user fingerprints will only be stored on the phone and will not be shared with app developers. The release is symbolic of a number of new on-the-market devices that use biometric authentication tools. A new wristband, Nymi, contains a voltmeter to read heartbeats. “You put it on. It knows it’s you. It communicates that identity securely to everything around you,” said the wristband’s creator. The biometric devices come on the heels of the recent discovery that even a 55-character password could be broken. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & U.S.

MEPs Call for Halt to Anti-Terror Program (September 10, 2013)
Amidst ongoing U.S. National Security Agency surveillance program revelations, Members of the European Parliament (MEPs) are calling for “the immediate suspension” of the Terrorist Finance Tracking Program (TFTP), CIO reports. "I think there is more than enough evidence to call for a suspension," said Dutch MEP Sophie in't Veld. The TFTP allows the U.S. Treasury access to data that international bank transfer company Swift stores in Europe, but NSA revelations indicate the U.S. spied on Swift, the report states. German MEP Jan Philipp Albrecht said, "The NSA surveillance is an open breach of the agreement and further undermines the already insufficient data protection given to European citizens under the deal.”

SURVEILLANCE

Internet Giants Make New Push for FISA Transparency (September 10, 2013)

As gloomy predictions about the impact of privacy fears on the Internet economy grow ever more frequent, and major concerns about the future of the Internet are expressed, big firms like Facebook, Google, Yahoo and Microsoft have stepped up their efforts in petitioning the U.S. government to allow them to share more about government requests for data with their customers. Computerworld sums up a number of the blog posts from these companies, which outline their legal efforts toward transparency. “The actions and statements of the U.S. government have not adequately addressed the concerns of people around the world,” wrote Facebook general counsel Colin Stretch, in his post.
Full Story

ONLINE PRIVACY

When “All About You” Isn’t About You at All (September 10, 2013)

Acxiom’s release of AboutTheData.com has been touted as a step forward for online data transparency, as it’s now possible to know what Acxiom and other data brokers likely know about you. But people are finding that Acxiom doesn’t seem to know much about them at all. And what they do know is wrong. In this installment of Privacy Perspectives, Jedidiah Bracy, CIPP/US, CIPP/EU, explores the impact the bizarro world of data brokerage could have on public perceptions of behavioral advertising and online tracking, and why this whole thing just might backfire.
Full Story

ONLINE PRIVACY

New Apps Give Posts a Shelf Life (September 10, 2013)

Reuters reports on the proliferation of mobile apps that allow users to control who sees their content on social media sites—and for how long. Secret.li, for example, allows iPhone users to post a photo to Facebook knowing it will be automatically deleted either an hour, a day or a week after it’s posted and giving them control over with whom it will be shared. Another app, Spirit, allows users to hashtag tweets so they will auto-delete after a time period of the users’ discretion. "With the ongoing privacy scares, people are thinking about what they put out there now and looking for ways to have more control," said Spirit’s developer.
Full Story

PRIVACY LAW

The OECD Heralds the Arrival of the Privacy Profession (September 9, 2013)
For anyone following the field of privacy policymaking, the past two years have seen a flurry of activity unsurpassed in any other legal arena. Fittingly, the first reform process to come to fruition is that of the OECD Privacy Guidelines, which date back to 1980 and contain the first internationally agreed upon iteration of the now ubiquitous Fair Information Privacy Principles (FIPPs). Together with the expected result of the major reform processes in the U.S. and EU, the revised guidelines, slated to be launched later today on the OECD website and with a reception at the Canadian embassy in Washington, DC, are set to become the second generation of information privacy laws. As such, it is important to assess what has changed since their inception more than 30 years ago. In this installment of Privacy Perspectives, Omer Tene, who served as rapporteur for the Expert Group advising the OECD, examines the potential impact of the new guidelines.

PRIVACY LAW

New State Laws in the U.S. and Concerns About Notification in the EU (September 9, 2013)

In this week’s Privacy Tracker Legislative Roundup, find out about Google’s push to get its e-mail scanning case dismissed, changes to the HIPAA final rule, the latest FTC settlement, updates on proposals in California and new laws in New Jersey and Illinois—and those are just the U.S. developments. In Europe, one MEP has expressed “major concern” regarding two data breach notification schemes proposed under the draft Network and Information Security Directive and the planned General Data Protection Regulation. (IAPP member login required.)
Full Story

DATA PROTECTION

When It Comes to Success, PIAs Should Not Be Underrated (September 9, 2013)

Privacy impact assessments (PIAs) are likely to become the most vital item in the privacy professional’s toolkit. That’s according to Eduardo Ustaran, CIPP/E, who writes for Field Fisher Waterhouse’s Privacy and Information Law Blog that PIAs are an effective tool that can be used to send a powerful message within an organization that the privacy pro is “on the side of the organization” as far as innovation and progress while “coming up with sensible ways of preventing unjustifiable risks” for everyone’s benefit. PIAs are especially relevant when it comes to global compliance, as they reach outside of the legal obligations of a given regime, Ustaran writes. Editor's Note: Want tools and templates for conducting PIAs? See Close-Up: PIAs.
Full Story

PRIVACY COMMUNITY

Accountability Is About Values (September 6, 2013)

“Over the past year, I reflected on why I have been doing privacy for nearly a quarter of a century,” writes Martin Abrams. “And after reflection, I decided it is time for me to focus on the role of values in privacy.” In this Privacy Perspectives blog post, Abrams discusses his new role as leader of the Information Accountability Foundation and how organizations can institutionalize accountability “in businesses’ practices, regulatory oversight and the next generation of privacy law.” Editor's Note: For more information on accountability see Close-Up: Accountability in the IAPP Resource Center.
Full Story

PRIVACY LAW—EU

Breach Notification Schemes Prompt “Major Concern” (September 5, 2013)

Out-Law.com reports on a draft opinion from the European Parliament's Civil Liberties, Justice and Home Affairs Committee in which Swedish MEP Carl Schlyter cites a “major concern” regarding two data breach notification schemes proposed under the draft Network and Information Security Directive and the planned General Data Protection Regulation. “A major concern that remains regards the relationship of the proposed system to the notification system proposed under the General Data Protection Regulation, and their effective coexistence, which is one of the reasons we highlight the fact that any EU cybersecurity legislation should follow the adoption of the General Data Protection Regulation, not precede it," Schlyter writes.
Full Story

SURVEILLANCE—EU & U.S.

Obama Addresses EU Concerns (September 5, 2013)

The surveillance review board recently named by the White House is slated to meet with privacy advocates and representatives from technology companies in two separate meetings Monday, The Hill reports. A White House spokeswoman said it is not a “White House meeting” and a list of who will be attending has yet to be disclosed. Additionally, President Barack Obama addressed European Union concerns about the National Security Agency (NSA) surveillance program disclosures. “I can give assurances to the publics in Europe and around the world that we’re not going around snooping at people’s e-mails or listening to their phone calls.” Meanwhile, a Reuters report suggests EU privacy law will provide "no magic bullet against U.S. spying," quoting Eduardo Ustaran, CIPP/E, as saying, "It is certainly not up to Europe alone to determine what data can be accessed in the United States."
Full Story

TRAVELLERS’ PRIVACY—EU

Experts Discuss Smart Borders Package (September 5, 2013)

Press TV reports on a Brussels conference where experts discussed the European Commission's Smart Borders Package, which would use modern technology “to gather and retain personal information of people crossing EU borders.” While the commission has suggested the system would improve immigration controls, human rights groups are concerned. “Under the new measures, some 100 million people annually will have prints taken from each of their 10 fingers on entry or exit,” the report states, noting, “the exact location and time of entry and exit will be recorded and stored as well.”
Full Story

PRIVACY LAW—UK

ICO Examining “Rogue” PIs (September 5, 2013)

The Information Commissioner’s Office (ICO) “is looking into whether companies and individuals broke the law by using private investigators convicted of illegally obtaining private data,” Financial Times reports. The investigation follows the ICO’s receipt of information from the Serious Organised Crime Agency regarding “four private investigators found guilty of “blagging” information from banks, the UK tax authority, mortgage providers and others,” the report states. The ICO will determine whether the investigators’ clients violated the Data Protection Act by using the detectives in question. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—GERMANY

Regulator “Astonished” By Facial Recognition Use (September 5, 2013)

IDG News Service reports on Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar’s reaction to Facebook’s announcement last week that it added facial recognition to its proposed privacy policy. “It is astonishing to find the facial recognition again in the new proposed privacy policy that Facebook published yesterday,” Caspar wrote last Friday, adding, using facial recognition in Germany might be illegal, depending on how the social network implements it. He noted an opt-in for users must be offered.
Full Story

DATA LOSS—UK

Council Fined 100,000 GBP (September 5, 2013)

The Information Commissioner’s Office (ICO) has fined Aberdeen City Council 100,000 GBP in the wake of “a bizarre incident that led to a number of children's personal data being uploaded to the Internet,” InformationAge reports. The case involved an employee taking files to work on from home, where the second-hand home computer “contained a file transfer programme that automatically uploaded the contents” to the web. The ICO cited the sensitivity of the data, inadequate data protection training and the lack of “necessary technical measures required to safeguard personal data from employee's home” as reasons for the fine.
Full Story

DATA LOSS

Treating Breaches as Customer Issues (September 5, 2013)

In a world rife with data breaches affecting organizations large and small, businesses should treat these events as customer issues rather than compliance issues, writes Experian Data Breach Resolution Group VP Michael Bruemmer, CIPP/US. Bruemmer points out that organizations often smoothly handle the technical and regulatory sides of a breach response, but he adds, “as I’ve seen time and time again, what you might be falling behind on is the consumer engagement side of breach response, and that’s when your customers start making calls.” In this Privacy Perspectives installment, Bruemmer offers a number of ways businesses can go beyond a “compliance-only response.”
Full Story

DATA PROTECTION

Opinion: Loyalty Cards Don’t Serve the Consumer (September 5, 2013)

In an article for Slate, Brian Palmer dares consumers to take six months off from using loyalty cards. Palmer cites British grocery chain Tesco’s program, in which the grocer monitored customers’ buying habits closely and sent coupons to those whose buying patterns slowed. “Would you prefer to shop at a store that increases profits by figuring out what you already do, then tricking you into doing it a little more often? Or a store that thinks creatively, brings you new products and showcases its wares in a novel way?” Palmer asks.
Full Story

ONLINE PRIVACY—FRANCE & GERMANY

Mosley Wants Censorship Google Isn’t Willing To Give (September 5, 2013)

Former Formula One boss Max Mosley wants Google to set up a personal filter to stop personal images of him from appearing on the search engine, Financial Times reports. The images of Mosley were ruled to be a breach of his privacy rights by a UK court in 2008. Google is willing to remove links to sites where the images are used, the report states, but says setting up a permanent filter for the pictures would mean an “alarming new model of automated censorship,” the report states. (Registration may be required to access this story.)
Full Story

BIG DATA

Information Pollution and the Internet of Things (September 4, 2013)

As we get closer to a super-connected world of devices and sensors—estimates posit that by 2020 there will be between 30 to 50 billion connected devices—privacy professionals will be faced with the massive issue of data access. In this Privacy Perspectives post, Field Fisher Waterhouse Partner Phil Lee, CIPP/E, CIPM, looks into this underlying problem, writing, “when so much information is collected—and across so many devices—how can we provide individuals with meaningful access to information in a way that is not totally overwhelming?”
Full Story

PRIVACY RESOURCES

What Do You Need To Build a Privacy Program? (September 4, 2013)

Privacy professionals looking to build a privacy program may need to call on “proactive strategies, persuasion, political savvy, adaptability and a passion to get an exciting new organizational function up and running”—never mind knowledge of relevant laws and how to comply with them—to get the job done. That’s according to the IAPP’s guide book, Building a Privacy Program: A Practitioner's Guide, one offering in this IAPP Resource Center Close-Up. You’ll also find freely accessible guides from the Massachusetts Office of Consumer Affairs and Business Regulation, an outline of IAPP award-winner Vodafone’s privacy program and articles to help you get buy-in from your organization.
Close-Up: How To Build a Privacy Program

SOCIAL NETWORKING

Pro-Privacy Attorney Leaving Twitter (September 4, 2013)

Twitter attorney Alex Macgillivray has announced his plans to leave the company, The Guardian reports. Macgillivray is credited with being aggressively pro-free speech and is described as being Twitter’s “conscience-in-residence,” turning the company into “one of the fiercest defenders of user privacy in cyberspace,” the report states. Macgillivray’s departure may have industry wondering whether Twitter will “now have a less robust defence against government requests for user data and compromise its position on free speech and privacy online,” the report states.
Full Story

PRIVACY SCHOLARSHIP

Academics Explore the Intersection of Privacy and Big Data (September 4, 2013)

In anticipation of next week’s Future of Privacy Forum and Stanford Center for Internet and Society workshop on meeting the challenges of Big Data and privacy, Stanford Law Review has released its 2013 Symposium Issue with contributions from academics and other privacy experts. Academic works cover topics such as Big Data rewards, classification and fairness, paradoxes of Big Data, “preemptive analytics” and public vs. nonpublic data. Meanwhile, a new post by Ari Waldman in Concurring Opinions explores the “sociology of privacy.” Editor's Note: Look for IAPP coverage of the event next week.
Full Story

PRIVACY LAW

South Africa Gets a Law; Breach Notification Goes Into Effect in the EU, and More (September 3, 2013)

Last week saw a new law in South Africa, new guidelines from the Australian privacy commissioner, a new breach notification requirement in effect in the EU and U.S. states tackling big issues like e-mail and location privacy in the absence of forward motion on a federal level. In this week’s Privacy Tracker legislative roundup, you’ll get more in-depth information on all of the above and more—including a series of cases in Minnesota questioning the liability of government agencies when an employee violates the Driver’s Privacy Protection Act. (IAPP member login required.)
Full Story

ONLINE PRIVACY—UK & U.S.

Aggregator To Show Users Their Data (September 3, 2013)

Data aggregator Acxiom is planning to unveil a free website where U.S. consumers can view the data the company has collected on them, The New York Times reports. Users who visit AbouttheData.com will view data on themselves including homeownership status, vehicle details, recent purchase categories and household interests. The site will allow users to click on icons to view the source the aggregated data came from originally. Acxiom’s CEO says the company aims to alleviate consumer fears on data aggregation by being more transparent. Meanwhile, a new UK platform allows users to sell direct access to their data to bidding companies. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Project Aims To Educate About Digital Footprints (September 3, 2013)

GigaOm reports on a National Science Foundation-funded project called Teaching Privacy and a related online tool that lets users track the location of Twitter and Instagram users. Both the project and the “Ready or Not” tool aim to educate individuals—particularly high school students—about online privacy and how our personal information forms a digital footprint. Expanding on the Ready or Not geo-tracking tool, Gerald Friedland, an International Computer Science Institute researcher working on the Teaching Privacy project, said, “Most people…do not know that if you tweet something this location data is actually publicly available.” The researchers are also working on a study showing that an anonymous account holder of a service such as Yelp can have reviews cross-referenced with location data and timestamps on other services to reveal the user’s identity.
Full Story