European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY COMMUNITY

A Record Night of Privacy After Hours Gatherings (January 31, 2014)

Privacy pros know that when they gather on IAPP Privacy After Hours nights they are part of something big. This past Tuesday night, however, was bigger than ever. More than 500 people who work with data—from all levels of experience, every sector and industry—gathered around the world in more than 30 locations. A big thank you to our volunteer hosts for setting up gatherings being described by participants as “extremely successful” and “practically a party … people didn’t want to leave.” For The Privacy Advisor, we’ve gathered up some scenes from around the globe.
Full Story

PRIVACY RESOURCES

New Whitepapers on Cloud Computing (January 31, 2014)

The IAPP has recently added to the Resource Center a series of four articles by Kuan Hon, Christopher Millard, Ian Walden and Julie Hornle of Queen Mary University of London. The articles cover topics including what personal data is regulated in cloud computing, who is responsible for it, jurisdiction concerns and exporting data outside the European Economic Area. Editor’s Note: Christopher Millard will take part in the preconference session The Privacy Pro's Field Guide to Contracting and Compliance in the Cloud at this year’s Global Privacy Summit. Register for the session online and receive a free copy of Millard’s book, Cloud Computing Law.
Full Story

BEHAVIORAL TARGETING

Researcher Identifies 212 Data Brokers; Fewer Than Half Allow Opt-Outs (January 31, 2014)

Journalist and author Julia Angwin recently sought to find the information commercial data brokers store about her, she reports on her blog. During her research, she discovered some of the data was incorrect—one broker asserting she was a single mother with no education—and decided to opt out. But less than half of the 212 data brokers Angwin identified offered opt-outs—there are no laws requiring they do so. In this post, Angwin provides two downloadable spreadsheets for users to both identify data brokers and then decipher which of them allow opt-outs. Editor's Note: Julia Angwin will give a keynote address at the IAPP Global Privacy Summit, March 5-7, in Washington, DC.
Full Story

SURVEILLANCE—UK & U.S.

Leaks Reveal More Surveillance Programs (January 30, 2014)

In two separate leaks from Edward Snowden, new documents reveal several previously undisclosed surveillance programs being conducted by the U.S. NSA and the UK’s GCHQ. This roundup for The Privacy Advisor looks at these and other surveillance-related reports. According to an NBC News report, the British government can tap into and access data from cables transmitting the world’s web traffic to spy on user activity on some of the Internet’s most popular social media sites, and The Guardian reports that the NSA and GCHQ target “leaky” phone apps. Meanwhile, the European Court of Human Rights “has fast-tracked a complaint” that alleges the UK “illegally used Internet and telecommunications networks to systematically spy on its citizens,” IT World reports.
Full Story

DATA PROTECTION—EU & U.S.

Will FTC’s Recent Safe Harbour Settlements Quench Europe’s Thirst for Enforcement? (January 30, 2014)

The Federal Trade Commission (FTC) last week announced it had settled with 12 U.S. companies over charges the companies allowed their Safe Harbour certifications to lapse but still indicated their certifications were valid. Was the move a response to recent criticism from the EU? The FTC said it was business as usual. But does it at least indicate more enforcement to follow? FTC Commissioner Julie Brill said she does not “believe these settlements were reached because of pressure from the European Commission or anyone else.” But some say the settlements were expected and the “ball was in the FTC's court after the developments in Europe.” The researcher who filed the complaints said he supports all but one of the settlements. This exclusive for The Privacy Advisor zooms in. Meanwhile, EurActiv reports on Justice Commissioner Viviane Reding's concerns about Safe Harbour.
Full Story

DATA LOSS—UK

Healthcare Data Breach Reports Almost Double (January 30, 2014)

Healthcare data breaches reported to the Information Commissioner's Office (ICO) in the third quarter of 2013 were “almost double the number reported in the first three months of last year,” Out-Law.com reports. The ICO also published figures indicating a 25-percent increase in data breaches across industries. “The figures, newly published by the ICO, reveal that a total of 420 data breaches across all sectors were reported to the watchdog in Q3 last year compared with 335 during the first three months of 2013,” the report states, noting that second to the health sector, local governments reported the largest number of breaches.
Full Story

PRIVACY—SWEDEN

Tele2 Seeks Single Data Privacy Body; Website Raises Concerns (January 30, 2014)

Tele2 Sweden is asking the government to create an independent authority “to protect data integrity,” Telecompaper reports, citing a letter written by Tele2 CEO Thomas Ekman and Chief Legal Counsel Stefan Backman on Data Protection Day. “Despite a 68 percent raise in mobile data traffic from the first half of 2012 to the first half of 2013, little has changed among public authorities to deal with the challenges involved in protecting privacy,” the report states. In other news, The Local reports on a Swedish website that allows people to “check out their neighbours' criminal records” and the concerns privacy experts have about the site.
Full Story

INTERNET OF THINGS—BELGIUM

Commission Investigating Smart TVs (January 30, 2014)

The Privacycommissie is investigating privacy aspects of smart TVs and set-top boxes from Telenet and Belgacom TV, Broadband TV News reports. The investigation was prompted “by developments in The Netherlands, where the activities of smart TV manufacturers came under scrutiny,” the report states, noting the two TV companies “are keeping records of viewing behaviour of their customers … but all parties emphasise the fact that customers can opt out.” Commission Spokeswoman Eva Wiertz said, “Legally, those companies are acting within the law … But that does not mean that recording viewing habits can’t cause privacy problems.”
Full Story

ONLINE PRIVACY—EU & U.S.

Study Highlights Differing Perspectives (January 30, 2014)

On the eve of Data Protection Day, ZDNet reported on the debate over online privacy being more complicated than ever. “Pre-Snowden, most discussions of privacy focused on data collection by giant advertising and analytics companies. That was the impetus for the Do Not Track initiative,” the report states, adding, “Post-Snowden, discussions of online privacy have taken on a darker tone, one that regularly verges on scenarios that would have been considered paranoid only a year ago.” With this week’s being the first Data Protection Day in this new era, the report examines a recent Microsoft survey “of technically sophisticated customers” in the U.S. and EU that found, “not surprisingly, there are some big differences in attitudes between consumers in the U.S. and those in the more privacy-sensitive European Community.”
Full Story

PRIVACY BY DESIGN

Whitepaper Highlights Emerging Privacy Engineer Discipline (January 30, 2014)

A new whitepaper surveying the emerging discipline of privacy engineering has been released. Co-written by Ontario Information and Privacy Commissioner Ann Cavoukian, Stuart Shapiro of the MITRE Corporation and Enterprivacy Consulting Group’s R. Jason Cronk, CIPP/US, Privacy Engineering: Proactively Embedding Privacy, by Design “seeks to promote a broader understanding and deeper practice of privacy engineering.” Editor’s Note: In a Privacy Perspectives installment, Cronk wrote, “Is 2013 the Year of the Privacy Engineer?
Full Story

PERSONAL PRIVACY

Which Information Do Consumers Most Closely Guard? (January 29, 2014)

Though consumers don’t always know how companies collect their data, which often causes a “trust gap,” evidence exists that consumers are still willing to exchange some of their personal information for products and services. Create with Context (CwC) recently surveyed 800 consumers to find out what information they would be willing to give up “in exchange for 50 percent off three different items: a gallon of milk, a large-screen television and a new car.” This Privacy Perspectives post reveals what CwC’s Ilana Westerman and Gabriela Aschenberger found, including how “97 percent of respondents said they’d be willing to give up at least one piece of data about themselves in exchange for a discount,” while noting that consumers don’t guard “all their information with equal vigilance.” 
Full Story

PRIVACY

Given the Heightened Fervor, What’s To Come in 2014? (January 29, 2014)

In this exclusive for The Privacy Advisor, Brian Dean, CIPP/US, pulls out his “foggy crystal ball” and prognosticates the future of privacy and security, looking at controversial topics including Safe Harbor, the NSA, the erosion of consumer trust, facial recognition and data brokers. “For data privacy and security professionals, this year offers optimism, but with looming midterm elections and recent significant data breaches, only subtle privacy improvements are likely,” Dean writes.
Full Story

PRIVACY

IAPP Releases Two New Whitepapers for #DPD2014 (January 28, 2014)
Looking for tools to help you spread the message of privacy professionalism through your organization or community? The IAPP has released for Data Privacy Day two new whitepapers. “Privacy Polices: How To Communicate Effectively With Consumers” is a collaboration between the IAPP, Kinsella Media and Rust Consulting and features new research on how consumers interact with privacy notices posted online. “Privacy 101 for SMEs: The Best Defense Is a Good Offense” was written by IAPP VP of Research and Education Omer Tene and Network Advertising Initiative President and CEO Marc Groman, CIPP/US, and provides practical advice for setting up a privacy program at, for example, a small tech start-up. Both papers are free for download and can be distributed as you see fit. Help spread the word of professional privacy practices. Editor’s Note: Celebrate Data Privacy Day at one of a record 36 scheduled Privacy After Hours events tonight.

PRIVACY

Opinion: Privacy Is Not Dead; Innovate for the Future (January 28, 2014)

“It’s time to get over zero-sum thinking about Internet privacy,” writes Respect Network CEO Drummond Reed, adding, “Privacy is not dead or dying because of the advances in new technologies.” Reed’s comments are in response to a recent Privacy Perspectives post by IU CLEAR Director Stanley Crosley, CIPP/US, CIPM, called “Old School Privacy is Dead, But Don’t Go Privacy Crazy.” Reed opines in his response on Perspectives that “it’s not an either/or proposition, and the thought of abandoning the notion of user control simply invites control by others.” Instead of “suggesting that privacy must adapt to technology,” Reed notes, privacy should be “embedded into technology systematically so as to remove the burden from the individual to protect their privacy.”
Full Story

DATA PROTECTION—EU

EU Officials Seek Deal by Year’s End; Hustinx To Stay on the Job (January 28, 2014)

Bloomberg reports on EU plans for negotiations on the data protection regulation to resume, with EU officials agreeing on a roadmap that would see the law adopted before the end of this year. “We cannot afford any more delay,” said German MEP Jan Philipp Albrecht. Meanwhile, EU Justice Commissioner Viviane Reding recently discussed with the BBC how the U.S. National Security Agency’s spying revelations were a “wake-up call.” And outgoing European Data Protection Supervisor Peter Hustinx has agreed to stay on the job until October after the European Commission rejected the candidates seeking to replace Hustinx.
Full Story

PRIVACY COMMUNITY

Want to Speak at the All-New Academy? (January 28, 2014)

The IAPP and the Cloud Security Alliance have opened up the call for presentations for the 2014 Privacy Academy, a joining of the IAPP Privacy Academy and the Cloud Security Alliance Congress. The event happens September 17-19, and the programmers of the event are looking for innovative presentations in areas like the Internet of Things and connected devices, Big Data, risk management, privacy and cloud computing, employee privacy issues like BYOD and many more. This is the place where information security and privacy meet up to find technological solutions to the leading privacy issues of our day. The call for proposals ends February 21.
Full Story

PERSONAL PRIVACY—UKRAINE & U.S.

Was It a Week of “Tangible” Privacy Harms? (January 27, 2014)

Two recent news events may show evidence of “tangible” privacy harms. One involved a U.S. family that received marketing mail from OfficeMax in an envelope reading, “Daughter Killed In A Car Crash Or Current Business,” prompting this Privacy Perspectives post to ask, “Can we safely say this was a tangible privacy harm?” The second event involved the riots in Kiev, Ukraine, and a government text message warning citizens within that location, “Dear subscriber, you are registered as a participant in a mass riot.” With new laws mandating potential 15-year sentences for participating in such riots, Perspectives asks “what if you were just a random person going about your day on the side of the street and received that text message? Does the dark pit of fear that developed in your stomach count as harm?”
Full Story

PRIVACY LAW

Privacy on the Docket from Davos to DC (January 27, 2014)

While industry leaders at the World Economic Forum in Davos, Switzerland, called for new rules surrounding data protection, the U.S. Supreme Court announced it will hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. And, the U.S. Federal Trade Commission announced settlements with 12 companies over false claims of alignment with Safe Harbor rules. In this Privacy Tracker roundup, learn about these issues as well as bills being considered by U.S. state legislatures, how Obama’s NSA plans may affect EU law and more. (IAPP member login required.)
Full Story

DATA PROTECTION

E-Receipts Helping Retailers Do More than Save Paper (January 27, 2014)

Paper receipts are headed toward extinction, Today reports, as e-receipts increasingly become commonplace. But e-receipts may serve more of a purpose for merchants than is obvious. “Merchants see digital receipts as a way to ‘engage’ with their customers. Translation: They see this as a new marketing channel—an efficient way to sell you more stuff,” the report states. While collecting customer data can be difficult, e-mailing receipts is “a fairly effective and simple way to get accurate contact points for your customer base,” says one CEO. A recent Epsilon International report found that 83 percent of retailers offering e-receipts did so to obtain a customer’s e-mail address.
Full Story

PRIVACY TOOLS

A New Handy Guide to Global DPAs (January 24, 2014)

The legal world is still fond of reference books. How many of you have giant binders on your shelves into which you insert this year’s latest update on some area of law or other? For a quickly changing legal environment like privacy, though, your binder fills up fast. Pretty soon, you need another binder. Luckily, we have the Internet. DLA Piper has attacked the problem of surveying the world’s data protection laws and regulations with a handy online and interactive guidebook for which they’ve released version 3.0 just in time for Data Privacy Day. Find out where it lives and how it was developed in this exclusive for The Privacy Advisor.
Full Story

PRIVACY BUSINESS

IAPP Launches Industry of Privacy Survey (January 24, 2014)

As part of our organization’s efforts to better understand the industry of privacy and the collective budgetary power of privacy professionals, the IAPP has launched an ambitious program to study the economic impact of the privacy industry and distribute the results to the world at large. And we need your help. Please take our first survey and be part of this effort to benchmark spending and help privacy professionals around the globe better shape their privacy programs.
Full Story

BIOMETRICS

Facial Recognition Databases Demand “Responsible” Actions; App Explores Augmented Reality (January 24, 2014)

In a column for The Atlantic, Profs. Woodrow Hartzog and Evan Selinger highlight the importance of separating facial recognition apps and large databases in order to protect privacy and relative anonymity in public. “No matter how powerful a facial recognition app is designed to be, it can’t get the job done without being connected to a database that links names to faces,” they write, adding, “the key is to ensure legal and social pressure demands the same responsible behavior from database owners as it does from designers, hosts and users of facial recognition technologies.” Meanwhile, CNET News reports on an augmented reality app planned for Google Glass. The Brain app would lay data from the virtual world—such as a Facebook profile—over what’s being observed in the real world. The company’s chief executive said, “We are trying to develop the platform … to try to anticipate and understand what you need and what you want and then present it when you need it.”
Full Story

PRIVACY LAW—UK

Tribunal: Voluntary Reporting Does Not Mean Automatic Immunity (January 23, 2014)

The Upper Tribunal of the UK Information Rights Tribunal has ruled in the case of Central London Community Healthcare Trust v Information Commissioner “that organisations which voluntarily report incidents of data security breaches to the ICO do not gain automatic immunity from penalty fines in relation to that breach,” Mondaq reports. The tribunal rejected the trust’s appeal that the ICO’s fine of 90,000 GBP in 2012 was wrong “on the grounds that it had self-reported the breach notifying the ICO.” Meanwhile, a separate report from TechWeekEurope, quotes comments from Field Fisher Waterhouse’s Stewart Room, CIPP/E, that “When it comes to looking at regulatory pain, financial penalties, business needs to rebalance the focus away from general compliance issues, towards the security and confidentiality arenas.”
Full Story

HEALTHCARE PRIVACY—UK

Intersection of Big Data, Healthcare Promises Benefits But Raises Concerns (January 23, 2014)

The Guardian reports on how the “ability to create and capture data is exploding and offers huge potential for the NHS to save both lives and scarce resources” as well as “the potential to personalise healthcare for every NHS patient.” In a separate report, the newspaper looks at privacy concerns around a plan to sell NHS patient information—“scrubbed of some personal identifiers”—available to drug and insurance firms. Health and Social Care Information Centre’s Mark Davies has indicated “the process for anonymising personal medical information, aggregating the data and selling it to third parties such as medical researchers and insurance companies does not have to guarantee individuals' privacy to comply with UK data protection rules,” the report states.
Full Story

DATA LOSS—GERMANY

Analysis Uncovers 16M Stolen E-Mail Addresses (January 23, 2014)

The Federal Office for Information Security (BSI) recently announced an analysis of botnets recently uncovered 16 million stolen e-mail addresses and passwords, eSecurity Planet reports. The BSI is hosting a website “where users can enter their e-mail addresses to check whether or not they were on the list,” the report states, noting, “If an e-mail address matches, an e-mail is automatically sent to that address confirming the breach and providing advice on security measures to take in response.”
Full Story

DATA LOSS—IRELAND & UK

Breaches on the Rise; Security Concerns Paramount (January 23, 2014)

A new survey from The Irish Computer Society indicates organisations in Ireland “are suffering data breaches in record numbers,” Independent.ie reports, noting “more than half of Irish firms have experienced a data breach in the last 12 months, with 22 percent suffering multiple breaches.” And, the respondents indicated, most of those breaches could be traced to “negligent employees.” Meanwhile, in the UK, Out-Law.com reports the Institute for Chartered Accountants in England and Wales is warning companies that share information during corporate finance deals “are at greater risk of falling victim to cyber-attack,” urging them to treat cybersecurity as “a high priority.”
Full Story

PRIVACY LAW

Laws, Amendments Set To Roll Out Across Globe (January 23, 2014)

This Privacy Tracker weekly roundup reports on new compliance hurdles for organisations in Canada and Australia as new laws are set to roll out in those countries. In the EU, the LIBE has published amendments it would like to see in the Network and Information Security (NIS) Directive. The report also looks at lawmakers’ efforts to get privacy-protecting laws on the books in the U.S., where FTC Commissioner Maureen Ohlhausen has called for legislators to look to existing laws, saying, “We simply do not need new talk, new laws or new regulations.” (IAPP member login required.)
Full Story

DATA PROTECTION

Microsoft Hints Overseas Users Can Store Data Outside U.S. (January 23, 2014)

Microsoft General Counsel Brad Smith has suggested that overseas users will be able to store their data outside of the U.S., in what Reuters reports as “the most radical move yet by a U.S. technology company to combat concerns that U.S. intelligence agencies routinely monitor foreigners.” According to Financial Times, Smith said users “should have the ability to know whether their data are being subjected to the laws and access of governments in some other country and should have the ability to make an informed choice of where their data resides.” As one example, Smith said, Europeans could choose to store their data in Microsoft’s data center in Ireland.
Full Story

CONSUMER PRIVACY—EU & U.S.

FTC Settles Safe Harbor Charges Against 12 Companies (January 22, 2014)
The Federal Trade Commission (FTC) has settled with 12 U.S. companies over charges the companies falsely claimed they were abiding by Safe Harbor rules. The companies involved spanned various industries, including mobile apps, DNA testing and professional sports. The complaints filed by the FTC state the companies allowed their EU-U.S. Safe Harbor certifications to lapse, despite claims in their privacy policies or Safe Harbor certification marks indicating otherwise. Three of the companies were also charged with falsely claiming to abide by the U.S.-Swiss Safe Harbor framework. The settlements, which follow criticism from the European Commission that the Safe Harbor framework has not been effectively enforced, are now open for public comment. FTC Chairwoman Edith Ramirez said Safe Harbor enforcement is a priority and the cases “send a signal to companies” that they can’t falsely claim certification. In a blog post on the FTC’s site, Lesley Fair, senior attorney with the Federal Trade Commission's Bureau of Consumer Protection, says this is fair warning that, “If you feature the Safe Harbor mark on your site or refer to your participation, remember that you must ‘re-up’ every year.”

PRIVACY LAW—EU & U.S.

How Obama’s NSA Plans May Affect EU Law (January 22, 2014)

President Barack Obama’s plans for surveillance reform, as revealed in his speech last week, “have had a lukewarm reception by European politicians,” writes Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E. “Such reforms are a work in progress that will extend over months and years, but Obama’s stance is bound to have a very direct effect on existing and forthcoming EU data protection requirements,” he adds. In this installment of Privacy Perspectives, Ustaran lays out his predictions “about the practical impact of the proposed plans in Europe.”
Full Story

PRIVACY LAW

At World Economic Forum, Industry Leaders Call for New Privacy Rules (January 22, 2014)

In a blog post, Microsoft General Counsel Brad Smith has called for “an international legal framework—an international convention—to create surveillance and data access rules across borders” and has said the current legal structures are out-of-date, prompting “some governments, as we’ve learned over the past year … to take unilateral actions outside the system,” CNET News reports. Smith is expected to take part in a World Economic Forum (WEF) panel discussion about the public perceptions of surveillance, data security and privacy in light of the NSA disclosures. BT Group Chief Executive Gavin Patterson, also speaking at the WEF, said customers cannot be guaranteed 100-percent privacy online and called for updates to “murky” data collection laws, The Guardian reports. Meanwhile, DW reports on Human Rights Watch's call this week for "a clear regulatory framework to keep intelligence services in check."
Full Story

SURVEILLANCE

Verizon Releases First Transparency Report (January 22, 2014)

In a press release on its website, Verizon has released its first transparency report for law enforcement requests in the U.S. and “other countries in which we do business.” According to the release, “Although Verizon has released a great deal of information over the past few years regarding the number of law enforcement demands we’ve received, Verizon’s online Transparency Report now makes an expanded data set more easily accessible.” The company said it will update the report semi-annually. Verizon also said it saw an increase in the number of law enforcement demands in 2013, as compared to 2012.
Full Story

ONLINE PRIVACY

Study Uncovers Tor Sabotage; Privacy Tools Used by 28 Percent Globally (January 22, 2014)

A group of computer scientists has found at least two dozen computers actively trying to sabotage the Tor privacy network, according to Ars Technica. The newly released paper, Spoiled Onions: Exposing Malicious Tor Exit Relays, is one of the first studies to document exit nodes purposely attempting to tamper with encrypted messages between the exit node and the open Internet. Developer Tal Ater has recently demonstrated that a microphone permission policy in Google Chrome can allow any site enabled for voice recognition to transcribe everything in range of the device without the user knowing. Separate research has revealed that privacy tools are used by 28 percent of the online world, or an estimated 415 million users. The GlobalWebIndex (GWI) study also found that 56 percent of those surveyed said they believe the Internet is eroding their personal privacy. The GWI study notes 11 percent of all users say they use the Tor network.
Full Story

GEOLOCATION—UKRAINE

Gov’t Locates Riot Participants, Sends Text Warnings (January 22, 2014)

The Guardian reports on the Ukrainian government’s efforts to quiet violent protests, including a text message sent to mobile phone users in the vicinity of the clashes reading, “Dear subscriber, you are registered as a participant in a mass riot.” The interior ministry has denied involvement in sending the texts, as have two telephone providers. Another provider said, “We strictly observe the confidentiality of our users, their telephone numbers and locations.” The interior ministry did say it is using video footage to arrest the most active participants in the riot. The protests were sparked by new laws on public gatherings.
Full Story

DATA PROTECTION—EU & U.S.

Opinion: Stop Confusing Safe Harbor with State Surveillance (January 22, 2014)

In an opinion piece for ComputerWeekly, Morrison & Foerster’s Cynthia Rich writes that suspending the EU-U.S. Safe Harbor program under the assumption it facilitates NSA surveillance is misguided. Any of the data transfer mechanisms in the EU offer no protection against government surveillance, Rich says, and “shutting out U.S. companies may appeal to market protectionists, but in the end, will only disadvantage European consumers.” Further, Federal Trade Commission enforcement of Safe Harbor has been more rigorous than the European Commission claims, she writes. Meanwhile, San Jose Mercury News columnist Mike Cassidy opines that the recent Target hack indicates that “the privacy war is over—and we lost.”
Full Story

DATA PROTECTION

Top Tips for a Data Incident Plan (January 21, 2014)
With recent data breach incidents practically saturating headlines, and with increasing evidence that preventing breaches altogether is next to impossible, Online Trust Alliance Director of Public Policy and Outreach Heather Federman, CIPP/US, writes about the importance of developing a data incidence plan (DIP). “The DIP is a playbook that describes the breach fundamentals an organization can deploy on a moment’s notice,” she writes, adding, “A good DIP helps you quickly determine the nature of an incident, immediately contain it, ensure evidence is not accidentally ruined and easily notify regulators.” In this Privacy Perspectives post, Federman, “in honor of the upcoming Data Privacy Day” next Tuesday, January 28, presents the top 14 tips for creating a DIP.

PRIVACY LAW—EU

Reding Calls for Billion-Dollar Fines (January 21, 2014)

European Commission Vice President Viviane Reding is calling for larger fines against companies that breach the EU’s privacy laws, BBC News reports. Reding “dismissed recent fines for Google as ‘pocket money’ and said the firm would have had to pay $1 billion under her plans for privacy failings,” the report states, noting she believes increased punishments are needed to encourage firms to take personal data use more seriously. Out-Law.com, meanwhile, reports the EU’s Court of Justice “is set to rule in a case involving Google and the judgment could offer some clarity about which local data protection rules will apply to multinational Internet service providers that process personal data abroad but have a business presence in a local jurisdiction.”
Full Story

PRIVACY

Opinion: Old-School Privacy Is Dead, Embrace the New School (January 21, 2014)

“There is nothing left to debate. Our old-school privacy, as we’ve known it for decades, is dead and buried,” writes Indiana University Center for Law, Ethics and Applied Research Director Stanley Crosley, CIPM, CIPP/US. “But there’s good news,” he adds in this installment of Privacy Perspectives. “If your notion of privacy is defined by your personal control over all of the data about you, well, you’re privacy crazy, and I have tragic news: That privacy is lost.” Crosley notes that regulations “that default to all ‘use’ of data as being impermissible unless authorized by the individual are trying to protect a version of privacy that no one really wants”—the equivalent of going back to using “VCRs and flip phones.” Rather, Crosley explains, “our parents’ brand of privacy is being replaced by a better, more sustainable and meaningful privacy.”
Full Story

PRIVACY BUSINESS—GERMANY

Privacy Proving To Be Tech Industry Driver (January 21, 2014)

With “some of the world’s toughest privacy laws,” “an unusually large number of hackers and security experts” and “a deep appreciation for privacy among the German people,” Germany is seeing entrepreneurs in the wake of the Snowden revelations looking to privacy-focused business models, reports Forbes. Germany is now home to start-ups ZenGuard, an encryption service; Blippex, a search engine “built with user privacy in mind,” and Arriver, “a social navigation tool developed on the principle of neutrality.” State-level business support is available to these start-ups through innovation funding programs, and Arriver CEO Felix Langhof says, “The privacy relevance is only just beginning to dawn on all of us.”
Full Story

PRIVACY LAW

Making a Privacy Law for the 21st Century (January 20, 2014)
With the EU’s proposed General Data Protection Regulation (GDPR) hanging in the balance, some think it a good time to go back to the drawing board. “Better, I think, to start again and design a good law than to adopt legislation for the sake of it—no matter how ill-suited it is to modern-day data processing standards,” writes Field Fisher Waterhouse Partner Phil Lee, CIPM, CIPP/E. In this post for Privacy Perspectives, Lee reflects on what a “21st-century data protection law ought to achieve, keeping in mind the ultimate aims of protecting citizens’ rights, promoting technological innovation and fostering economic growth.”

BIG DATA

Privacy, Security Leading Issues for Big Data, IoT (January 20, 2014)

A 2014 predictions report from Stratecast finds “privacy will ‘almost certainly’ be the leading Big Data issue this year,” InformationWeek reports, questioning how that could impact such retail “Big Data” uses as “in-store analytics systems that use WiFi-enabled devices—typically smartphones—to gather information on customers' shopping and purchasing habits.” Meanwhile, Financial Post reports on similar concerns for the Internet of Things, where questions about security and privacy continue to grow with the use of “smart home” devices. "It's getting more complicated," Gartner’s Angela McIntyre said, citing the broadening types of data being collected. "Companies are realizing they need to update their privacy policies and terms of service (with) easy-to-read disclosure of privacy up front."
Full Story

PRIVACY COMMUNITY

Cavoukian: “So Glad You Didn’t Say That” (January 17, 2014)
In the latest response in an ongoing Privacy Perspectives dialogue, Ontario Information and Privacy Commissioner Ann Cavoukian responds to this week’s post by Oxford Prof. Viktor Mayer-Schönberger. “My first thought … was, ‘I’m so glad he didn’t mean that!’ In sum, Mayer-Schönberger assures me that our views are aligned as follows: The belief that individuals have an interest in privacy protection; privacy should be anchored in the OECD Fair Information Practice Principles; the public should have control over their personal information, and privacy does not impede innovation,” she writes. Cavoukian later writes, “it is nonetheless important to voice other perspectives, such as Privacy by Design, that are not currently reflected in his view of how the OECD principles should be revised,” noting she will hold a live webinar on January 24 on the topic “Big Data Calls for Big Privacy—Not Only Big Promises” with Commissioner Alexander Dix, Professor Khaled El Emam and CDT President Nuala O’Connor, CIPP/US. Mayer-Schönberger participates in a separate webinar, “Privacy Models: The Next Evolution,” alongside Fred Cate, O’Connor, David Hoffman and Peter Cullen, on January 21.

PRIVACY LAW—EU

Is the EU’s “Anti-FISA” Clause Practical? (January 17, 2014)

The Snowden revelations have helped reintroduce into the EU’s proposed General Data Protection Regulation a provision that would limit and control personal data transfers to third countries. Often referred to as the “anti-FISA” clause, the provision gives rise to a number of concerns regarding practicality and legality, writes Danish Ministry of Finance Senior Policy Advisor Christian Wiese Svanberg in this installment of Privacy Perspectives. Svanberg notes, “the issues raised by the proposal are numerous,” adding, “does the word ‘judgment’ also cover court orders, subpoenas, letters of request … And what constitutes an ‘international agreement’ for the purposes of the provision?”
Full Story

PRIVACY LAW—EU

LIBE Publishes NIS Directive Draft Amendments (January 16, 2014)

Out-Law.com reports on the Committee on Civil Liberties, Justice and Home Affairs (LIBE) publication of “a list of draft amendments MEPs in the group would like to see made to the European Commission's proposed Network and Information Security (NIS) Directive.” The proposed NIS Directive, first published last year, “aims to ensure that banks, energy companies and other businesses involved in the operation of critical infrastructure maintain sufficiently secure systems,” the report states. MEP Marie-Christine Vergiat has suggested the standard of protection should differ by organisation, while other proposals include recommending the NIS Directive’s implementation be postponed until after the introduction of EU data protection reforms.
Full Story

SURVEILLANCE—UK

Vodafone Plans To Disclose Wiretap Demands (January 16, 2014)

The Guardian reports on Vodafone’s plans “to take a stand on privacy by asking British ministers, and the governments of each of the 25 countries in which it operates, for the right to disclose the number of demands it receives for wiretapping and customer data.” Amidst the continued fallout of the Snowden revelations, Vodafone plans to write to Home Secretary Theresa May and Justice Secretary Chris Grayling seeking improved transparency. "We want all of our customers worldwide to feel they are at liberty to communicate with each other as they see fit. We want our networks to be big and busy with people who are confident they can communicate with each other freely; anything that inhibits that is very bad for any commercial operator," said Vodafone CPO Stephen Deadman. Editor’s Note: Deadman recently spoke on a panel related to surveillance at the IAPP Europe Data Protection Congress, featured in this report from The Privacy Advisor.
Full Story

PRIVACY LAW—FRANCE & UK

Google Appealing CNIL Fine; UK Court Says Suit Can Proceed (January 16, 2014)

Google has announced it is appealing the CNIL’s recent 150,000-euro fine, IDG News Service reports. A company spokesman confirmed the appeal but declined to comment on the details of the appeal, the report states, while a French newspaper reported Google lodged the appeal “on Monday with the Council of State” seeking “a suspension of the ruling,” the report states. The CNIL fined Google last week “for introducing new privacy policies breaching French data protection laws,” the report states. Meanwhile, the UK High Court ruled Thursday in a case brought by Apple Safari users that “Google can be sued by a group of Britons over an alleged breach of privacy, despite the company being based in the U.S. and claiming that the case was not serious enough to fall under British jurisdiction,” The Telegraph reports.
Full Story

SURVEILLANCE—THE NETHERLANDS

CBP: Company Broke Law By Filming Employees (January 16, 2014)

The Dutch Data Protection Authority (CBP) has found electronics retailer Media Markt broke privacy laws by using “mystery shoppers equipped with hidden cameras to film shop staff,” Dutch News reports. The CPB has said companies may only film staff with secret cameras under specific conditions, such as instances of widespread theft. Media Markt used the results of the surveillance, along with images from security cameras, in personnel evaluations, the report states. Media Markt has apologised, and the CBP has not yet decided whether it will fine the company.
Full Story

PRIVACY LAW—EU & FINLAND

Court of Human Rights Supports Finnish Court Decision (January 16, 2014)

The Wall Street Journal reports on a European Court of Human Rights ruling supporting an earlier Finnish court decision to fine author Susan Ruusunen for writing “a tell-all book” in 2007 about then-Prime Minister Matti Vanhanen. “The judgment on Tuesday is the latest example of the Strasbourg-based court having to toe the line between upholding the European Convention on Human Rights articles of freedom of expression and the privacy rights of people, even those in the spotlight,” the report states. Finland’s Supreme Court found against Ruusunen and her publisher back in 2010. (Registration may be required to access this story.)
Full Story

PRIVACY BUSINESS

IAPP and CSA Announce New Strategic Alliance (January 16, 2014)
The IAPP announced today that it has created a new strategic alliance with the Cloud Security Alliance, a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing. The alliance’s most tangible result will be the joining of the IAPP Privacy Academy and CSA Congress into a single event to be held September 17 to 19 at the San Jose Convention Center in San Jose, CA. “Cloud security and privacy matters continue to twist and turn, especially given events of late, with the industry in constant pursuit for the best knowledge and practices to stay ahead of what’s next in securing all forms of computing,” said CSA CEO Jim Reavis. “Through this union, this event is now the center of gravity for information governance and management professionals to navigate the continually evolving challenges of the digital economy,” said IAPP President and CEO Trevor Hughes, CIPP.

DATA PROTECTION—EU

The Baffling Case of the Headless EDPS (January 16, 2014)

On Thursday, in his last speech of his mandate as European Data Protection Supervisor (EDPS), Peter Hustinx urged Germany to take the lead in reform of the EU data protection framework. And now, after 10 years of service, Hustinx is retiring from “what is in essence the EU’s top data protection authority.” But the future leadership of the office is in question. Earlier this month, news came out that a “selection board” found that none of the successor candidates were “sufficiently qualified” for the position, thereby delaying the selection, possibly by months. “After working in Brussels for the last 15 years,” writes Wilson, Sonsini, Goodrich & Rosati Senior of Counsel Christopher Kuner, “I have become accustomed to the byzantine machinations of European politics.” But, in this installment of Privacy Perspectives, Kuner notes the “spectacle that is currently unfolding … paints a particularly dismal picture of how data protection in the EU can become a political football.”
Full Story

PRIVACY COMMUNITY

“I Never Said That” - A Response to Cavoukian et al. (January 15, 2014)
In response to a Privacy Perspectives post and announcement of a whitepaper from last week, author and Oxford University Internet Governance Prof. Viktor Mayer-Schönberger writes that “assumptions” made by Ontario Information and Privacy Commissioner Ann Cavoukian et al. “are not borne out in fact.” Mayer-Schönberger adds, “I very much appreciate a robust debate about the future of how we best protect information privacy … But without knowing exactly what I said, the whitepaper may respond to a straw man’s argument and thus offer much reduced value.” In this new Privacy Perspectives installment, Mayer-Schönberger aims to offer readers “the opportunity to appreciate what I actually said…”

PRIVACY RESOURCES

Looking To Hire or To Hone Your Interview Prowess? (January 15, 2014)

New to the IAPP’s online Resource Center is a list of interview questions submitted by several dozen subscribers to the IAPP Privacy List. With the help of Jay Cline, CIPP/US, of Minnesota Privacy Consultants, the IAPP compiled this collection of list subscribers’ favorite questions to find the privacy job candidates with the highest potential. Topics covered include incident management, running a privacy program, legal concepts and EU privacy.
Full Story

PRIVACY BUSINESS

Privacy-Enhancing Phone, Dating App Unveiled (January 15, 2014)

The creators of Silent Circle have announced they will unveil a privacy-enhancing smartphone called Blackphone, GigaOM reports. The device, which will be available for preordering on February 24, uses a secure version of Android called PrivatOS and will have the capability to transmit secure phone calls, texts, file exchanges and storage, and video chat, and anonymizes use via a virtual private network. Creator Phil Zimmerman said the phone “provides users with everything they need to ensure privacy and control of their communications, along with all the other high-end smartphone features they have come to expect.” Meanwhile, the makers of SinglesAroundMe have announced a patent-pending technology that allows users to change their locations to preserve their privacy. The “Position-Shift” algorithm gives users control over their location and who knows it. Fujitsu Labratories have announced an encryption search that keeps data encrypted to maintain privacy, and Twitter has announced it is enforcing SSL encryption for apps connected to its API. Editor’s Note: Privacy Perspectives recently posted “Data-Driven Dating: How Data Are Shaping Our Most Intimate Personal Relationships.”
Full Story

PRIVACY PROFESSION

How Privacy Engineers and Lawyers Can Get Along (January 14, 2014)
The burgeoning technological landscape is increasing the need for lawyers to work with engineers on privacy protection initiatives. In this post for Privacy Perspectives, two Georgia Tech professors—one a law professor, the other a software engineering professor—consider four points showing “how to bring together and leverage the skill sets of engineers, lawyers and others to create effective privacy policy with correspondingly compliant implementations.” Profs. Peter Swire, CIPP/US, and Annie Antón look into how lawyers and engineers make the simple complicated, why using the term “reasonable” works in privacy rules but not software specifications and, perhaps most importantly, “how to achieve consensus when both lawyers and engineers are in the same room.”

MOBILE PRIVACY

Turnstyle: Making a Business on Phones’ Continuous Broadcasting (January 14, 2014)

The Wall Street Journal profiles Turnstyle Solutions, a start-up in Toronto using small sensors placed throughout downtown to track the movements of individual consumers. The firm then sells that data, showing businesses where else their customers frequent, in the name of customizing offerings. One restaurant emblazoned its logo on tanktops when it became clear that customers also frequented a local gym. Turnstyle’s success, the report says, along with that of other startups like Euclid Analytics, “speaks to the growing value of location data … but Turnstyle is among the few that have begun using the technology more broadly to follow people where they live, work and shop.” (Registration may be required to access this article.)
Full Story

DATA LOSS

Snapchat Assures Users Spam Is Unrelated to Breach (January 14, 2014)

Following reports recently from some Snapchat users that they’ve received an excessive amount of spam, the company has apologized but assured users the messages are unrelated to a recent breach that exposed millions of usernames and phone numbers, Los Angeles Times reports. “While we expect to minimize spam, it is the consequence of a quickly growing service,” Snapchat said in a blog post.
Full Story

SURVEILLANCE—EU & U.S.

Obama To Announce NSA Recommendations This Week (January 13, 2014)

President Barack Obama will announce the results of his review of the National Security Agency (NSA) surveillance programs on Friday, January 17, the Associated Press reports. Privacy and Civil Liberties Oversight Board (PCLOB) Chairman David Medine, who met with the president last Wednesday, said, “We wanted to be able to provide input into the decision-making process.” The PCLOB is expected to release its own findings on January 23. The Hill reports on how Obama’s decisions around NSA reform have put his legacy on the line. Meanwhile, the European Parliament’s decision to have Edward Snowden testify on NSA surveillance programs has divided MEPs due to fears it could damage EU-U.S. relations. Politico reports that, based on last week’s Consumer Electronics Show, fears of NSA spying have not affected consumers’ excitement for emerging technology. However, according to a new survey, a quarter of Canadian and UK businesses are looking away from U.S.-based cloud storage companies due to NSA spying.
Full Story

PRIVACY LAW—GERMANY

Justice Minister Seeks Delay of Retention Directive (January 9, 2014)

EUObserver reports German Justice Minister Heiko Maas wants to delay making the EU Data Retention Directive law. Maas’ announcement comes amidst “legal action by the European Commission and despite the fact two leading parties in Germany's grand coalition want to go ahead,” the report states, noting he “hails from the centre-left SPD party, which wants to postpone it.” The report details the recent debate in Germany on data retention. Germany is expected to “further delay its implementation of the Data Retention Directive despite facing potential financial penalties of more than 300,000 euros for each day it fails to transpose it into national law,” Out-Law.com reports.
Full Story

SURVEILLANCE—FRANCE

New Law Prompts Fears, Controversy (January 9, 2014)

In a feature for Computerworld, Jean-Loup Richet writes about France’s U.S. National Security Agency-like surveillance program, which reportedly gathered “nearly all … data transmissions, including telephone calls, e-mails and social media activity that come in and out of France” and a new law to define the surveillance of citizens’ data. The law would allow the seizure of “all documents stocked in a ‘cloud’ service subscribed by a given Internet user” in cases of terrorism and organized crime investigations, the report states. While some officials indicate such provisions have been in place for years, the Green Party is seeking a review of the law, arguing it “actually expands these shadowy powers.”
Full Story

ONLINE PRIVACY—UK

Expert Advises Websites Regarding Defamation Laws (January 9, 2014)

Out-Law.com reports on new defamation laws that came into force on 1 January, which “set out a voluntary procedure that website operators can follow to absolve themselves of liability for defamation when they receive a complaint about comments posted by others on their site.” Pinsent Masons’ Kathryn Wynn advises, "Although website operators have to take certain steps in order to rely on the defence under Section 5 of the new Defamation Act and the accompanying regulations, they cannot ignore data protection completely and should still be mindful of the complainant’s privacy concerns and their own obligations under the Data Protection Act, particularly where the disclosure is in excess of what is required to fall within the statutory defence.”
Full Story

EMPLOYEE PRIVACY—SPAIN

Court: Companies Can Monitor Communications (January 9, 2014)

Mondaq examines what it describes as the Tribunal Constitucional’s “landmark ruling in the case of Pérez González v. Alcaliber … finding that companies are permitted to access and monitor employee communications via company IT resources, including e-mails and texts, as part of investigations into employee misconduct.” The case involved González’s dismissal from Alcaliber “for disseminating trade secrets to competitors,” the report states. The court found “dismissal was not disproportionate,” ruling “a company must be permitted to monitor employee communications to verify well-founded suspicions of transgression where such monitoring is necessary to provide evidence to justify dismissal.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—IRELAND

Hawkes Discusses Public Concerns, EU Reg, More (January 9, 2014)

The Irish Times reports on comments from Data Protection Commissioner Billy Hawkes on the proposed EU regulation, the claims of “light-touch” regulation in Ireland and the public’s concern about accessing their personal information. Citing Hawkes’ comments at the IAPP Europe Data Protection Congress in Brussels last month, the report suggests Hawkes does not view the proposed one-stop shop “with any great enthusiasm … However, as a good European, which I try to be, I do accept the logic of the one-stop shop and I will accept the consequences and the burdens that go with it.” Hawkes goes on to reject allegations of “’light touch’ regulation by his office,” and weighs in on the public’s concern over “the refusal or failure of organisations to give them access to their personal data.”
Full Story

GEO PRIVACY—UK

Privacy Rights and Telematics Data (January 9, 2014)

While insurers recognise the value of telematics data from vehicles, such information can constitute personal data and, in such cases, is subject to data protection law, Out-Law.com reports. “Where personal data has been anonymised, data protection laws no longer apply,” the report states, noting, however, the Association of British Insurers guidance to companies advising they “obtain the consent of all named drivers on a telematics policy before they can collect personal telematics data about those individuals.” Insurers do not, however, currently need to obtain consent to share personal data “where disclosure is necessary to prevent or detect crime, such as fraud,” the report states.
Full Story

DATA LOSS—IRELAND & UK

DPC Investigating Adobe Breach; Staysure Breach Reported (January 9, 2014)

ZDNet reports Ireland's Office of the Data Protection Commissioner (DPC) has been investigating Adobe’s breach last year that involved the theft of about 38 million records. The DPC began its investigation in October, the report states. "This office immediately launched an investigation into the matter, which is still ongoing," the DPC said in the statement. Meanwhile, in the UK, insurance carrier Staysure has notified 93,389 customers of a breach exposing personal and payment card data. Personal information and three-digit card verification values were compromised in an October cyber-attack, Out-Law.com reports, and the company reported the beach to the relevant authorities, including the Information Commissioner's Office.
Full Story

HEALTHCARE PRIVACY—UK

Privacy Concerns Abound Over HSCIC Database (January 9, 2014)

With all UK households set to receive will leaflets this month from the National Health Service (NHS) explaining “patient data currently held by general practitioners will automatically be uploaded to a central database run by the Health and Social Care Information Centre (HSCIC) unless they specifically opt out of the process,” privacy concerns are being raised, Infosecurity reports. Those concerns include the way the program is being begun and the use of the uploaded data, the report states, noting, the Information Commissioner’s Office has “insisted to the NHS that patients be informed of their right to opt out—and that is the primary role of the leaflet.” But some are concerned it “is designed to cause as few people to opt out as possible."
Full Story

SURVEILLANCE—EU & U.S.

Shutting Down EU Is Not the Way To Defend Privacy (January 9, 2014)

In reaction to yesterday’s release of the European Parliament’s LIBE Committee draft report on U.S. National Security Agency (NSA) mass surveillance, Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, writes, “Shutting down pretty much all transatlantic data flows in order to prevent unreasonable access to data by the U.S. intelligence services would not only be disproportionate, but it would be hugely damaging to the information society we all rely on.” In this post for Privacy Perspectives, Ustaran looks at several specific provisions of the draft report, noting that though it’s extreme, there is no need to panic. Meanwhile, TechCrunch reports that the LIBE Committee has invited former NSA contractor Edward Snowden to testify on U.S. surveillance.
Full Story

PRIVACY LAW—FRANCE & U.S.

CNIL Issues Its Largest-Ever Fine to Google (January 9, 2014)

French privacy regulator the CNIL has fined Google $204,000 for breaking the law with its unified privacy policy—its biggest fine to date, GigaOM reports. The CNIL said the company implemented its shift to one privacy policy across all its services without properly informing users of the ways in which their data would be combined and for what purposes. That’s similar to The Netherlands’ data protection authority assertion in November, while Spain’s data protection authority fined the company $1.2 million last month. The fines are the latest in European displays of dissatisfaction with online tracking, which may impact EU-U.S. business relations, The Wall Street Journal reports.
Full Story

PRIVACY—EU

Hustinx Departs, Successor Remains Unknown (January 9, 2014)

The European Data Protection Supervisor’s (EDPS) five-year term ends January 16, and it seems the post could remain vacant for the foreseeable future after current EDPS Peter Hustinx departs, PCWorld reports. The EDPS is appointed by the European Parliament and Council, but the list of candidates created by the European Commission after a public call for candidates was deemed insufficient. Commission Spokesman Antony Gravili said the “selection panel concluded that none of the candidates had the qualities that are needed for the job.” The commission is seeking candidates with experience in data protection in a large or public organization as well as with experience implementing data protection rules, the report states. Hustinx expressed alarm in a letter to the Commission that this successor has yet to be determined. Editor’s Note: For more on outgoing EDPS Peter Hustinx and the search for his replacement, see The Privacy Advisor exclusive, “Ten Years and Two Terms Later, A Look at Peter Hustinx’s Legacy.”
Full Story

DATA PROTECTION—EU & U.S.

Reding Urges Action on GDPR; LIBE NSA Report Leaked (January 8, 2014)
EU Justice Commissioner Viviane Reding has said the proposed EU General Data Protection Regulation (GDPR) must “move full speed ahead,” Bloomberg reports. The clock is ticking on the GDPR with European Parliament elections coming this May. “We have lost too much time already,” Reding said in a prepared statement for a speech in Brussels. Not everyone agrees, however, that the GDPR will move forward. In discussing the two main privacy surprises of 2013, Google Global Privacy Counsel Peter Fleischer wrote on his personal blog, “the old draft is dead…” Meanwhile, after months of inquiry, the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee draft report on U.S. National Security Agency surveillance has been leaked. This report for The Privacy Advisor looks at these developing stories and includes commentary from Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E.

NOTICE & CONSENT

Counterpoint: Consent, User Control Are Not Things of the Past (January 8, 2014)

In response to arguments presented by privacy scholar and author Victor Mayer-Schönberger on notice, choice and the regulation of use, Ontario Information and Privacy Commissioner Ann Cavoukian, Berlin State Parliament (Germany) Commissioner Alexander Dix and Prof. Khaled El Emam collectively contend that consent and personal control are not things of the past. In this Privacy Perspectives post, they write, “In fact, in the wake of Edward Snowden’s revelations, we are witnessing the opposite: A resurgence of interest in strengthening personal privacy.”
Full Story

SURVEILLANCE

Yahoo Implements Default Encryption; Speakers Canceling Due To NSA Claims (January 8, 2014)

Yahoo has begun automatically encrypting Yahoo Mail users’ connections. Automatic HTTPS is now the default. The move is in response to concerns about government surveillance. Google recently made a similar change, and Microsoft and Facebook have announced stronger encryption keys will be coming in the future. Meanwhile, following allegations that a major security firm accepted $10 million from the National Security Agency to implement an “intentional cryptographic flaw” in one of its encryption tools, several high-profile security experts have begun canceling their appearance at the firm’s annual conference, CNET reports.
Full Story

CONSUMER PRIVACY

Unsurprisingly, CES Buzzes With Privacy News (January 7, 2014)
With more than 150,000 attendees descending on Las Vegas, the Consumer Electronics Show, which kicked off yesterday, is the largest event of its kind in the world and is often the venue where electronics manufacturers make their big product unveilings. This year, privacy has more prominence at the event than ever before. The Privacy Advisor wraps up the big privacy news, from the latest in wearables to biometrics to smart cars and TVs. Further, the news makes two upcoming web conferences seem relevant. Rebecca Herold, CIPM, CIPP/US, CIPP/IT, hosts an event with ISACA on Thursday at noon, “Where Do You Draw the Creepy Line? Privacy, Big Data Analytics and the Internet of Things.” And at 1 p.m. on Thursday, the IAPP hosts a web conference on “Working with Third-Party Vendors: Moving Toward a Standardized Solution,” featuring Jules Polonetsky, CIPP/US; Ellen Giblin, CIPP/US, CIPP/C, CIPP/G; and Al Silipigni, CIPP/US.

DATA PROTECTION

10 Tips for Data Privacy in 2014 (January 7, 2014)

Several recent data breaches continue to show how “the disclosure of sensitive data can have dramatic financial impacts on an organization and erode consumer trust.” In this Privacy Perspectives post, AvePoint Vice President of Risk Management and Compliance Dana Simberkoff, CIPP/US, writes, “The good news here is that this should be highly preventable.” With Data Privacy Day around the corner, Simberkoff shares 10 tips for improving an organization’s privacy and data protection programs—from identifying the “Crown Jewels” to building bridges, not walls, to creating a pervasive culture of compliance and more.
Full Story

ONLINE PRIVACY

Are Data-Use Policies Useless? (January 7, 2014)

In an op-ed for Ars Technica, Casey Johnston questions whether the recent hack of Snapchat and the company’s allegedly questionable data security practices shows how data-use policies fail. Privacy policies and terms of use “make plenty of promises about all of the third-party evils they will protect our data from,” Johnston writes, “But those policies contain few limits on what the companies themselves can do with our info or how they will secure it.” Meanwhile, The Hill reports that Snapchat has hired lobbyists in Washington, DC, to work on “educating policymakers regarding the application’s operation and practice.” According to The Guardian, the integration of Google+ into its Android operating system “has made it too easy for users to leak personal information.” And in a column for Computerworld, Evan Schuman looks into what app developers should include in their mobile privacy policies.
Full Story

DATA PROTECTION

Security Firm Buys Mandiant for $1 Billion (January 3, 2014)

FireEye, a major security firm, announced on Thursday that it is bolstering its security offerings in the purchase of Mandiant for $1 billion, IDG News Service reports. Mandiant, which does $100 million in sales per year, made headlines last January after it helped The New York Times discover alleged Chinese hackers lying dormant within the publisher’s network. Though the companies reside in the same industry, each specializes in different offerings. FireEye specializes in network monitoring and intrusion detection, while Mandiant provides an incident response platform, helps clients determine what data has been compromised and closes vulnerabilities, The Washington Post reports. FireEye Chairman and CEO David DeWalt said the combination of firms will allow it to move more quickly from detection to response.
Full Story