European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY TECH

OWASP Looking for Volunteers for Privacy Top 10 Project (February 28, 2014)
In the cybersecurity community, the OWASP Top 10 Project is something of a touchstone. An open-source list of “the most critical web application security flaws,” it represents a consensus of experts as to what threats organizations should be most concerned with as they go about developing their projects. The project, first developed in 2007 by the Open Web Application Security Project and refreshed in 2010 and 2013, has been translated into seven of the world’s major languages, so it is a truly global tool. Sound like something privacy pros could use? Well, Florian Stahl, CIPP/IT, thought so, too. So, this month, he has launched the OWASP Top 10 Privacy Risks Project, and he’s looking for help.

PRIVACY LAW—FRANCE

The CNIL Is Making Its Mark (February 28, 2014)

With an uptick in inspections, 43 formal compliance notices, its president named the new chair of the Article 29 Working Party and a record fine against Google for noncompliance with the French Data Protection Act, the French data protection authority, the CNIL, is asserting itself in the international data protection scene. In this Privacy Tracker post, Olivier Proust of Field Fisher Waterhouse offers concrete examples of the CNIL’s growth, resourcefulness and experience, noting “companies should pay close attention to the actions of the CNIL as it becomes a more powerful authority in France and within the European Union.” In a separate report, Proust looks at concerns regarding privacy and France’s new law on real-time geolocation. (IAPP member login required.)
Full Story

HEALTHCARE PRIVACY—UK

NHS Records Sold to Insurer (February 27, 2014)

Daily Mail reports a UK insurer has claimed “it was able to access records of 47 million patients over 13 years to help it decide premiums for customers.” The news follows announcements last week that NHS data-sharing plans were placed on hold in the midst of privacy concerns. “The Staple Inn Actuarial Society said in a report that it used NHS data covering all hospital in-patient stays between 1997 and 2010 to track the medical histories of patients, identified by date of birth and postcode,” the report states. One privacy advocate said, “We have been categorically told that it would be illegal for GP data to be handed over to insurers, yet already all this hospital data has been extracted. It blows out of the water the idea that patients’ privacy is being protected.”
Full Story

PRIVACY LAW—ITALY

Garante Enforcement Activity Report Released (February 27, 2014)

In this exclusive for The Privacy Advisor, Rocco Panetta highlights the main points from the Garante’s release of its enforcement activity in Italy in 2013 and inspection plan for the first half of 2014. “In 2013, the Garante carried out 411 proceedings, four percent more than in 2012,” Panetta writes, noting communications to the Judicial Authority also increased in 2013—up 27 percent from 2012. “Most of the proceedings referred to minimum security measures, violations of the so-called Workers’ Statute, public data, telemarketing, electronic health data, mobile payment, telecoms data, data breaches, employment and GPS,” Panetta writes. Panetta also reports on recent Garante decisions regarding medical research and a new register of welfare positions.
Full Story

PRIVACY LAW—UK

ICO: Spammers Could Escape Prosecution (February 27, 2014)

Companies that send spam texts, make silent phone calls or clog inboxes with junk e-mails could escape prosecution because of a legal ruling, Information Commissioner Christopher Graham has warned. Graham’s concerns follow the case of Tetrus Telecoms, which was originally fined 440,000 GPB, “but won on appeal after a tribunal ruled the text messages were only a minor nuisance,” Daily Mail reports. Graham, who is calling for the law to be changed, said unsolicited calls and messages comprise “one of the great curses of the age … We could show there was nuisance—that isn’t enough apparently.”
Full Story

PRIVACY LAW—BELGIUM

Human Rights Association Fighting Data Retention Law (February 27, 2014)

La Ligue des droits de l'Homme (LDH) has launched a procedure against Belgium’s new law requiring telecom operators to hold customer data for one year, Telecompaper reports. The human rights group contends the law is “a grave violation to the right for customers to a private life,” the report states, noting LDH has launched a crowd-funding effort to fight it. While law enforcement officials have said the law does not change anything, as such information was already held by companies, LDH’s concerns include “lack of supervision by an independent commission,” the report states.
Full Story

INTERNET OF THINGS—THE NETHERLANDS

Justice Ministry: Company May Analyse Viewer Behaviour (February 27, 2014)

The Dutch Justice Ministry has said Samsung may analyse viewer behaviour via its smart TVs, Telecompaper reports. The statement came in response to questions from Parliament on the collection of such information. “Collecting the personal data is subject to rules that a company must consider as part of the process,” the report states, noting, “In the specific case of Samsung, the ministry noted that the company informs Dutch consumers about its collection and use of the data, including the choices they have under the privacy policy.” Editor’s Note: Justin Brookman wrote about Samsung’s Smart TVs for Privacy Perspectives.
Full Story

PRIVACY LAW—UK

Expert: Prepare for EU Law by Following ICO Guidelines (February 27, 2014)

One data protection law expert is advising businesses they can prepare themselves for changes in EU law by following the Information Commissioner’s Office guidelines on privacy impact assessments (PIAs), Out-Law.com reports. Pinsent Masons’ Kathryn Wynn explains, “Conducting PIAs is the best way organisations can flesh out what the privacy issues relevant to new products and services they seek to offer are,” adding, “They will help flag issues that may otherwise have been missed by an organisation and allow them to make changes to the way they intend to process or otherwise handle personal data to reduce or manage any risks to privacy.” Meanwhile, issues around privacy law will be discussed and debated next month in the UK at the Bristol Law Conference. Editor’s Note: For tools and resources devoted to PIAs, see the IAPP Resource Center Close-Up: Conducting a Privacy Impact Assessment.
Full Story

DATA PROTECTION—EU & U.S.

Post-Snowden, Businesses Focus on Privacy (February 27, 2014)

UK and U.S. citizens may be considered relatively relaxed about data sharing, Financial Times (FT) reports—noting they may be less-so following the Snowden revelations. Germans tend to take stricter view on what government and businesses can do with personal data, while France and other countries are “coming under pressure from the much more rapid evolution of privacy online,” the report states. IAPP member and KPMG Partner Ronald Koorn tells FT, “Attitudes have changed. Initially, the NSA incident was primarily a media event, but that discussion is now reaching multinational companies. They realise that privacy requires increased attention.” Separately, the UK government is being advised to strengthen its data protection practices following recent breaches. (Registration may be required to access this story.)
Full Story

PRIVACY LAW

Turkey’s New Law, Brazil’s Impending Law, Others Examined (February 27, 2014)

In this Privacy Tracker legislative roundup, read about privacy concerns related to Brazil’s proposed Internet privacy law and a bill Turkey’s president recently signed into law, and get some insight on complying with South Africa’s new law. In the U.S., states are moving along bills to prevent revenge porn in Illinois and protect readers’ privacy in New Jersey and student privacy in Wyoming and Kansas, among others. Also, the Massachusetts Supreme Court has determined police need a warrant in order to collect cellphone location data over a period of time. (IAPP member log in required.)
Full Story

ONLINE PRIVACY

Making Online Privacy More User-Friendly (February 27, 2014)

With increased awareness about online privacy issues, both from the public and private sectors, a host of online privacy tools exist, but for the most part can be difficult to use. GigaOM reports on a group of experts attempting to make online privacy tools more user-friendly. Groups have been attempting to “redecentralize” the Internet, but, the report states, the open-source scene is often made up of users more concerned with function over the user experience. Eleanor Saitta, of the Open Internet Tools Project, said, “There are still a lot of people in the (developer) community who are, ‘If I can use this tool, why can’t everyone?’ A lot of people aren’t willing to acknowledge that if ordinary users can’t use it, they won’t.”
Full Story

MOBILE PRIVACY

Mozilla Rolling Out New Privacy Features (February 27, 2014)

In a partnership with Deutsche Telekom, Mozilla said it plans to release new privacy and security features for its Firefox operating system, ComputerWeekly reports. The focus of its Future of Mobile Privacy project is emerging markets. Mozilla has found the most prevalent concerns include lost/stolen mobile devices and the privacy of sharing personal information among friends and family. Mozilla Global Privacy and Public Policy Leader Alex Fowler said Mozilla will “be calling on the privacy and security community to start dreaming up what they think are exciting features and services, and we want to prototype and make those part of future releases as well.”
Full Story

BIG DATA

Surveys Offer Insights Into Consumer Perspectives (February 27, 2014)

Two recent studies offer insights to consumer perspectives on the use of their personal information (PI). A survey from content management and analytics firm SDL indicates “nearly two-thirds of consumers in the U.S. and around the world are worried about how marketers are using their personal information,” AdWeek reports. However, about 80 percent are willing to provide PI “to a trusted brand as long as brands are transparent about how they collect and use their information and as long as they get something in return.” A Fortinet study of Gen-Xers and Millenials, meanwhile, found differences in “philosophy about security and privacy” from one generation to the next.
Full Story

PRIVACY TECH

Cryptographers at RSA: “Users Seem To Now Mind Giving Up Privacy” (February 26, 2014)

If there are buzzwords at this year’s RSA conference, they are without question “mistrust” and “NSA.” And if there’s anywhere irrefutable impact of the “Summer of Snowden” reverberates, it’s through the corridors here at the Moscone Center in San Francisco, CA. During the Tuesday morning keynote, panelists Whitfield Diffie of SafeLogic, Brian LaMacchia of Microsoft Research, Paul Kocher of Cryptography Research, Inc., MIT’s Ron Rivest and Adi Shamir of Israel’s Weizmann Institute of Science expressed “shame” and “shock” at the NSA revelations but also offered up a vision of where cryptography is going and how it might affect the privacy industry. Angelique Carson, CIPP/US, gets you up-to-speed.
Full Story

PRIVACY COMMUNITY

IAPP Global Privacy Summit Is Sold Out (February 26, 2014)

The IAPP Events Team announced today that the Global Privacy Summit, happening next week in Washington, DC, is officially sold out. Were you procrastinating? Sorry about that. However, we have a couple of pieces of good news: our Show Daily newsletter, to which you can subscribe, and a discount on our next big U.S. event.
Full Story

DATA PROTECTION—EU

Will Facebook-WhatsApp Deal Be Probed by EU DPAs? (February 26, 2014)

Bloomberg Businessweek reports on the Facebook-WhatsApp deal and whether it will trigger any privacy investigations from data protection authorities (DPAs) across the EU. Article 29 Working Party Chairman Jacob Kohnstamm said the acquisition may get the interest of DPAs. He said that DPAs “could, having heard about the merger, decide to do research into the product as well” and subsequently all “28 data protection regulators could open an investigation.” The main concern, he said, is the collection of data from users’ mobile address books when they download the application. Meanwhile, Finland-based Nokia is facing criticism after it was revealed that its Lumia line of Windows Phones transmitted personal data—including that of some senior members of Finland’s government—to Microsoft servers in the U.S.
Full Story

PRIVACY COMMUNITY

Frye, Stoddart, Stonier Join IAPP Board (February 25, 2014)

The IAPP announced this week the new composition of its Board of Directors, with three notable additions, plus its newly appointed Executive Committee. Joining the board are Bank of America CPO Christine Frye, CIPP/US, CIPM; Executive VP of Privacy and Information Guidance at MasterCard JoAnn Stonier, and former Privacy Commissioner of Canada Jennifer Stoddart. Further, Hewlett-Packard VP and CPO Scott Taylor, CIPP/US, has taken over for Past Chairman and Microsoft CPO Brendon Lynch, CIPP/US, as chairman of the board, and a new slate of officers have accepted positions. Please join us in thanking them for their service to the IAPP.
Full Story

PRIVACY BUSINESS

Oracle To Buy BlueKai for $400M (February 25, 2014)

AdAge reports that Oracle has agreed to acquire BlueKai for a reported $400 million, though terms were not publicly disclosed. Among BlueKai’s offerings is technology that allows for data transfer independent of cookies but with “the same transparency and notices that cookies have.” The report says Oracle plans to integrate BlueKai with other cloud marketing products Responsys and Eloqua to “give its customers the ability to more precisely personalize messages to consumers and B-to-B buyers—the people those products are used to reach.”
Full Story

MOBILE PRIVACY

IoT Focus at MWC (February 25, 2014)

The Mobile World Congress (MWC) is home to all the hottest new mobile devices, Forbes reports, and at this year’s event, the Internet of Things (IoT) and data are key themes. “Consumers currently expect ‘mobile device’ to mean smartphone and the apps we use on it, but a plethora of other device types are changing that expectation,” TJ McCue writes. He suggests that the prevalence of IoT sessions at the MWC indicate “the mobile community is taking the potential and implications of data seriously. The amount of data from IoT devices and the number of mobile products that help us share and make sense of it will only increase.”
Full Story

DATA PROTECTION

On Breach Response, 50 Percent of Execs Are in the Dark (February 25, 2014)

According to The Economist Intelligence Unit’s Information Risk report, one half of executives surveyed have not been trained in what to do in response to a data breach. The report surveyed 341 senior business leaders from around the world, almost half of whom are C-suite-level executives. The unit then conducted a series of in-depth interviews with 17 senior executives on managing digital assets. Of the key findings, the report states that data risk awareness does not extend evenly across most organizations. The most knowledgeable departments tend to be IT and finance, due to the sensitive information they deal with. “This low level of awareness across the company is equally true vertically,” the report states.
Full Story

CYBERSECURITY

SSL Bug Found in Apple Operating Systems (February 24, 2014)
Security researchers and experts discovered a coding flaw late last week in the operating systems that run Apple’s mobile devices and computers that could allow hackers to circumvent encrypted connections, Reuters reports. A single line in the software omitted commands to authenticate an encrypted website’s certificate, meaning hackers could impersonate sites and capture all the electronic data being communicated by users. Cryptography expert Matthew Green said, “It’s as bad as you could imagine; that’s all I can say.” Apple has offered a software update for mobile devices and said it would release a patch for Mac computers “very soon.” The bug has allegedly been present for months, and some have questioned whether it was a spy’s attempt to create a “back door” into the devices.

PRIVACY LAW—EU & U.S.

Law Symposium Delves into Thorny Privacy Issues (February 24, 2014)

Who’s governing privacy? That was the main question asked at the Maine Law Review 2014 Privacy Symposium on Friday. Implementing public policy to create appropriate levels of regulation and data protection in the Digital Age is a thorny issue with no easy answers, but privacy and legal experts from the U.S. and Europe did their best to flesh out what’s possible and what’s needed in Portland, ME. In all, seven law review papers were presented at the symposium, covering topics as diverse as the privacy issues raised by license plate scanners, the effectiveness of the multistakeholder process and transnational surveillance. This exclusive for The Privacy Advisor gives you the lowdown on the event.
Full Story

PERSONAL PRIVACY

Privacy Issues Raised by 3D Room-Mapping Program (February 24, 2014)

Google recently announced Project Tango, an Android-based phone with built-in, super-advanced 3D sensors capable of mapping a given area around the device, including the interiors of buildings, Motherboard reports. In its announcement, Google asked, “What if you could capture the dimensions of your home simply by walking around with your phone before you went furniture shopping?” The technology is currently only available to 200 developers, and Google says the technology is still in the early stages, but the report suggests potential privacy implications, including where the maps would be stored and who would have access to them.
Full Story

DATA PROTECTION—EU

On Leveraging Big Data While Complying with Law (February 21, 2014)

The Big Data Project (BDP), an Open University study, is looking into how organizations can leverage Big Data while complying with EU data protection principles. In this post for Privacy Perspectives, Sara Degli Esposti, a research fellow at the Open University Business School, discusses the study, asking, “What kind of legislation do we need to create that positive system of incentive for organizations to innovate in the privacy field?” The BDP “represents a chance for you to contribute,” she writes, “and learn about, the debate on the reform of the EU Data Protection Directive.” The BDP is open to employees concerned with data management or use “from all types of organizations … with interests in Europe.”
Full Story

INTERNET OF THINGS

The Rise of Bring-Your-Own Wearable Device (February 21, 2014)

V3.co.uk reports on the rise of wearable technology and how it has been and will be integrated into the work environment. Early adopters include Tesco, which gives smart armbands to workers to help track goods, distribute tasks and measure location movements. Another firm, Pru Health, offers employees Fitbug health devices as part of its “Vitality” program. These devices supplied by employers, as well as bring-your-own wearable devices (BYOWD), have robust personal data-gathering potential—including swaths of sensitive personal information. As smart glasses and wearable cameras become more integrated into the work environment, businesses will have to consider BYOWD policies to protect employees’ privacy expectations, the report states.
Full Story

SURVEILLANCE—BELGIUM & UK

Spying Questions Head to Court (February 20, 2014)

A man wanted for seeking a bribe has filed a complaint with Belgium’s data protection commission alleging a telephone conversation was recorded without his knowledge, while in the UK, civil liberties groups have brought questions of the legality of digital surveillance programmes to court. “The extent of the intelligence services' bulk interception of online communications came under scrutiny for the first time in a British courtroom on Friday,” The Guardian reports. Nearly a dozen groups brought claims to the investigatory powers tribunal, which adjudicates on complaints related to government surveillance, alleging “the mass collection, storage and analysis of e-mails and electronic messages are illegal,” the report states. A full hearing is scheduled for July.
Full Story

HEALTHCARE PRIVACY—UK

NHS: There Is “Risk” of Data Being Identified (February 20, 2014)

Although to do so would be illegal, NHS England has admitted that there is a risk of patient information in a new database could be identified, ComputerworldUK reports. The report highlights the planned uses of the database, which include selling datasets to companies and researchers, as well as concerns from critics who have said “although the data will be 'pseudonymised', it will only be a matter of time before identifiable patient data will be held by a number of companies across the world and patients won't be able to do anything about it.” NHS England’s analysis of the database warns patients “could be ‘re-identified’ if database data is combined with other information,” the report states. Financial Times reports the concerns have prompted a delay in the project.
Full Story

DATA RETENTION—THE NETHERLANDS

Law Enforcement Calls for Improvements (February 20, 2014)

Dutch law enforcement officials want improvements in how communications data is collected and stored, Telecompaper reports, citing a justice ministry evaluation of The Netherlands’ data retention law. “Law enforcement officials that participated in the evaluation called for an expansion of the retention period for the data to a full 12 months, as well as an end to distinctions between telephony and Internet data,” the report states, noting, “For mobile calls, they also want not only the time when the call started recorded but also the time it ended.”
Full Story

CONSUMER PRIVACY—FRANCE

CNIL, DGCCRF Release Prelim Report on IP Investigation (February 20, 2014)

Hogan Lovells’ Chronicle of Data Protection examines the preliminary findings in the CNIL and DGCCRF’s investigation of allegations “some French e-commerce websites selling train or plane tickets would use IP tracking to keep the IP address of Internet users who visit their websites to check the prices of some tickets but without buying them.” The allegations suggested the websites would increase prices for IP addresses it recognised from such prior visits. The CNIL and the DGCCRF “did not find unfair commercial practices by which the prices of the tickets would vary depending on the IP address of the Internet user,” the report states, but will continue to assess compliance “with the laws protecting personal data and protecting consumers against unfair commercial practices.”
Full Story

DATA PROTECTION—SWEDEN

Telecom Privacy Rules Go Into Effect in September (February 20, 2014)

PTS, Sweden’s postal and telecoms regulator, is establishing requirements for telecoms operators to protect their customers' personal information and communications, Telecompaper reports. “Among other things, the new regulations deal with the question of who is allowed to access and handle customer information. PTS said only people with the correct training and who need the information in order to carry out their work will be able to access sensitive details about customers and their communications,” the report states. The regulations are scheduled to go into effect on 1 September.
Full Story

PRIVACY PROFESSION

Ten Skills That Make a Good Privacy Officer (February 20, 2014)
While speaking to a group of law students recently, Align Technology Privacy Counsel K Royal, CIPP/US, CIPP/E, was asked what makes a good privacy officer. So she went to work. After searching related top 10 lists for compliance officers, salespeople, CEOs and managers, Royal compiled this list of 10 skills necessary to becoming a good privacy officer for Privacy Perspectives. From compliance to social work to janitorial skills, privacy officers need a swath of abilities to effectively do their jobs. “We need to follow from the front and make sure our employees succeed … Rarely do people comply with a mandate because it is a mandate."

DATA PROTECTION

Data-Centric Security: Reducing Risk at the Endpoints (February 20, 2014)

In this time of increased attacks on IT networks, the king's men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and reevaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization. In this exclusive for The Privacy Advisor, Jim Wyne, CIPP/US, looks at data-centric security as a method to mitigate risk and "ensure the most important asset of the business, the data, is protected."
Full Story

SOCIAL NETWORKING

Dating App Vulnerability Allowed for Pinpointing User Locations (February 20, 2014)

Tinder, an app facilitating spur-of-the-moment dating, reportedly has a security problem leading to users’ exact physical locations being divulged without their consent, The Washington Post reports. Instead of rounding to the nearest mile when searching for potential dates in your immediate vicinity, the app’s servers were giving out data that would allow hackers with “rudimentary skills” to determine a user’s location within 100 feet. Security researchers told Tinder about the security lapse in October; the company responded in December and addressed the problem, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—GERMANY

Court: Facebook Must Comply with Data Protection Law (February 20, 2014)

The Higher Court of Berlin has ruled Facebook must comply with German data protection law, PCWorld reports. However, that decision, which confirms a 2012 decision finding the social network’s “Friend Finder” violated the country’s law, has “directly contradicted an earlier decision by another court,” the report states, citing a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein. The Higher Court of Berlin also found portions of Facebook’s privacy policy and terms of service violate the law. The Federation of German Consumer Organisations, or VZBV, called the decision “a milestone for data protection in the Facebook era.”
Full Story

CLOUD COMPUTING

On Contracting and Compliance: Are You Up-to-Speed? (February 19, 2014)
With more and more organizations embracing cloud computing while others in highly regulated industries such as government, healthcare and finance remain hesitant, “it is time to get to grips with cloud computing,” writes Christopher Millard, a professor of privacy and information law at the Centre for Commercial Law Studies, Queen Mary, University of London. In this Privacy Perspectives post, which also previews a full-day preconference workshop at next month’s IAPP Global Privacy Summit, Millard makes the case for why privacy pros need to get up-to-speed on what can be a very complex undertaking. Editor’s Note: Millard’s series of articles on cloud computing and European law are available to IAPP members in the IAPP Resource Center.

DATA PROTECTION

Dutch Telecom and Silent Circle To Encrypt Phone Calls (February 19, 2014)

Dutch telecommunications provider KPN has struck a deal with encryption service Silent Circle to provide customers in Belgium, Germany and The Netherlands with encrypted phone calls and text messages, PCWorld reports. Silent Circle currently has servers in Canada and has plans for one in Switzerland. KPN has said it plans to build a server in The Netherlands so that data doesn’t leave the country, the report states. This June, KPN customers will be able to download Silent Circle services Silent Phone and Silent Text. Silent Circle has also been working with Geeksphone to create the Blackphone, a smartphone designed to protect user privacy.
Full Story

PRIVACY COMMUNITY—UK

Commissioner Graham Tenure Extended Two Years (February 19, 2014)

UK Information Commissioner Christopher Graham will remain in his current position for at least the next two years after the Queen officially approved his reappointment, V3.co.uk reports. The UK Ministry of Justice said the official start date of his reappointment begins on June 29. Graham said he is “delighted” to remain in office. “I don’t underestimate the challenge of leading the ICO at this time,” Graham said. “But unlike any other public body that I know, it falls to the ICO to champion both the right to privacy and the right to know for citizens and consumers—here in the UK, in Europe and internationally … It’s a big responsibility and the next phase certainly won’t be dull.”
Full Story

SOCIAL NETWORKING

New Program Manages Privacy Settings (February 19, 2014)

GigaOM reports on My Face Privacy, a new product from Israeli software firm CallingID, designed to manage the privacy settings of multiple social networking sites—including Facebook, Twitter, Google+ and LinkedIn. The desktop-only application works like a password manager and offers four preset privacy settings. “Social networks are trying to make as much information visible to as many groups as they can,” said CallingID Executive Vice President Yair Nissan. “They have a default set of privacy policies, which is not restrictive at all. They complicated the way that you can change and manage your privacy settings—you have to go through many screens, and unless you’re an expert, you probably won’t find all the different parameters because they’re hiding them very well.”
Full Story

DATA PROTECTION—EU & U.S.

Merkel Backs EU-Only Data Networks (February 18, 2014)
German Chancellor Angela Merkel has said she backs a proposal to establish European data networks to keep e-mails and other communications inside Europe and away from U.S. intelligence agencies, The New York Times reports. “We will, above all, discuss which European providers we have who offer security for our citizens … So that you don’t have to go across the Atlantic with e-mails and other things but can build up communications networks also within Europe,” she said. German-based Deutsche Telekom has said creating such a network is possible. Google has express concerns that regional data storage could cause a “splinternet,” and, in a recent post for Privacy Perspectives, privacy expert Eduardo Ustaran, CIPP/E, warned that “shutting down Europe” is not the answer to defending privacy. (Registration may be required to access this story.)

PRIVACY LAW

German Advocates Get Right To Sue; U.S. States Continue on Anti-Surveillance Path (February 18, 2014)

In this Privacy Tracker weekly legislative roundup, read about the prospects of German advocacy groups getting the right to sue businesses, the status of the Philippines’ cybercrime law and proposals in the U.S. pushing for less data collection and more consumer protections. The Utah attorney general has stopped using administrative subpoenas for cellphone and Internet data, saying “writing yourself a note to go after that stuff without any check is too dangerous,” while the Senate looks at a bill that would mean law enforcement needs a judge’s order as well. Also, Orin Kerr has published an article supposing what a communication privacy act might look like if the U.S. scrapped ECPA and started from scratch, and there’s a handy interactive map outlining the status of social media privacy laws throughout the U.S. (IAPP member login required.)
Full Story

PRIVACY COMMUNITY

The Perspectives Conversation, Past and Future (February 18, 2014)

Last February, we unveiled our very first blog, Privacy Perspectives, and in the year since, we’ve received a range of contributions from privacy pros working in the public and private sectors, across virtually all industries. This Perspectives installment pauses to take a look back at the last calendar year, one filled with major privacy news stories—from the EU-U.S. data protection debate, to the Snowden disclosures, to the Target breach. But not all contributions were based on breaking news. Perspectives also featured personal tales within the privacy profession, insider tips for day-to-day operations, our changing social and legal norms and the difficult debates that are shaping how organizations, policy-makers and privacy professionals think about privacy.
Full Story

PRIVACY LAW

Cline: U.S. Leads World in Privacy Violation Fines (February 18, 2014)

Jay Cline, CIPP/US, writes for Computerworld on EU leaders’ belief that the U.S. has not adequately enforced the EU-U.S. Safe Harbor agreement, citing research showing that is not the case. “Any way you cut the data,” Cline writes, “the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.” Cline’s report looks at the history of Safe Harbor, highlighting his team’s research on fines of $100,000 or more imposed by government agencies for privacy violations. “We also set out to rank-order the top privacy fines in history,” he writes. “When we did this, the U.S. dominated the leader board.”
Full Story

DATA PROTECTION

Survey: Users More Hesitant To Click on Ads, Use Unknown Apps (February 18, 2014)

TRUSTe has released its third annual consumer confidence privacy research survey, which found that privacy concerns are up significantly from last year, with 74 percent indicating they are more concerned about privacy than they were a year ago. While 70 percent said they are more confident than one year ago that they can manage their online privacy, that may have negative repercussions for industry, with those surveyed indicating that means not clicking on ads or using apps they don’t recognize.
Full Story

PERSONAL PRIVACY

Privacy Is Not Dead: “It’s Aliiiive” (February 14, 2014)
In honor of both Valentine’s Day and the zombie genre, Intel Chief Privacy and Security Counsel Ruby A. Zefo, CIPP/US, CIPM, shares her love of the undead by exploring 10 ways privacy is not dead. “At worst, it is the living dead,” she writes in this post for Privacy Perspectives. “Perhaps like Frankenstein’s monster, you thought it was dead, but in fact, it’s allliiiive!”

DATA LOSS

Store, Healthcare Entities, Hotels, Bank Announce Breaches (February 14, 2014)

A number of brands have announced breaches this month, including Tesco, which was the victim of a breach not because of its own systems but as a result of breaches at various websites in which users employ the same username and password across multiple sites. A U.S. senator recently said data breaches are simply a “fact of life” these days, and an eSecurity Planet report explains why brands’ stock prices may actually rise after breaches. The Privacy Advisor examines these and other recent breach reports.
Full Story

PRIVACY LAW—GERMANY

Minister: Consumer Rights Orgs May Be Able To Sue Over Breaches (February 13, 2014)

The Minister of Justice and Consumer Protection has announced consumer rights organisations “will soon be able to sue businesses directly for breaches of German data protection law,” Hunton & Williams’ Privacy and Information Security Law Blog reports.  The minister plans to present a draft law in April, the report states, noting that if passed, “the new law would bring about a fundamental change in how German data protection law is enforced.” Under current law, when a breach occurs, only those affected, criminal prosecutors and data protection authorities have legal standing to sue. “Such proceedings are still relatively infrequent, in part due to the complexities and costs involved,” the report states, noting, “Consumer rights organizations, however, are sophisticated and well-funded.”
Full Story

DATA PROTECTION—EU & U.S.

EU Says EU-U.S. Trade Deal Should Not Pass Without U.S. Privacy Reforms (February 13, 2014)

The LIBE Committee approved a report Wednesday stating the European Parliament should not agree to the EU-U.S. trade deal, the TTIP agreement, unless it fully respects EU citizens’ data privacy, Help Net Security reports. The report, which passed the committee by a 33-7 vote, condemns the “vast, systemic, blanket collection of personal data of innocent people, often comprising intimate personal information.” The committee also “voted against calling for asylum protection for former U.S. intelligence agency contractor and whistleblower Edward Snowden,” EUObserver reports. In the U.S., the Privacy and Civil Liberties Oversight Board has testified to a Senate committee that the NSA's phone data collection is unlawful. In a recent interview, EDPS Peter Hustinx discussed NSA surveillance and the forthcoming reforms of the data protection regulation. Meanwhile, the European Agency for Fundamental Rights has released its official agenda for the EU, which includes recommendations on the EU data protection framework.
Full Story

PRIVACY—EU

Politicians, Voters Sign Pledge To Protect Digital Privacy (February 13, 2014)

Nearly 30 candidates hoping to become Members of the European Parliament have signed a pledge to protect digital rights and defend net neutrality in a bid to gain votes, reports PCWorld. European Digital Rights group EDRi, an association of 35 digital civil rights organisations, began the WePromise campaign, which includes a 10-point “charter of digital rights.” According to the report, the candidates who sign the pledge promise to abide by the charter, and voters are also asked to sign the pledge to vote for candidates who have made the promise. More than 350 voters have signed the pledge, but more are needed if it’s going to be an incentive to candidates, says EDRi Director Joe McNamee.
Full Story

DATA LOSS—UK

Police Staff Fired, Resign After Breaches; ICO Fines Gov’t Department (February 13, 2014)

BBC News reports 113 law enforcement employees were fired and 186 resigned their posts in connection with privacy breaches. “Police forces from across England and Wales recorded a total of 2,031 cases of data protection breaches between January 2009 and October 2013,” the report states, noting those reporting the most incidents were Avon and Somerset with 289 and Merseyside with 202. In a separate incident, the ICO has fined the Department of Justice Northern Ireland $185,000 GBP after “a serious breach of data protection laws,” Out-Law.com reports. A department agency “failed to check a locked filing cabinet before the piece of furniture was sold at auction at a time when the agency was moving offices.”
Full Story

PRIVACY COMMUNITY—EU

Florian Thoma Joins Accenture (February 13, 2014)

Multinational consulting firm Accenture just got a boost in privacy experience after naming Florian Thoma, CIPP/US, CIPP/E, CIPM, as its new senior director of global data privacy. Thoma, who has served on the IAPP’s Board of Directors since 2010 and its European Advisory Board since 2009, started his new position on 1 February.
Full Story

PRIVACY LAW—THE NETHERLANDS

DPA: Companies Break Law When Asking for Passports (February 13, 2014)

Dutch Data Protection Authority the CBP has said companies break the law when asking customers for copies of their passports, DutchNews.nl reports. “Of course companies can check if people are who they say there are,” CBP Spokesman Wilbert Tomesen said. “But piles of photocopies of passports is an invitation to identity fraud, which has major financial and social ramifications for citizens.” The CBP has created guidelines for citizens, and has noted many companies are unaware making copies of passports and IDs is illegal except in certain circumstances.
Full Story

MOBILE PRIVACY—UK

Will Payment Service Come with Privacy Cost? (February 13, 2014)

The UK's three largest mobile operators, O2, Vodafone and EE, have launched mobile payment service Weve and have shared information about a new mobile targeted ad service, Computing reports, prompting memories of privacy scandals past for at least one analyst. Weve CEO David Sear has said, however, “We believe we are creating a new standard in privacy, because it is difficult for consumers who don't really know what the deal is, they don't know whether they are giving that data to someone and if that data is being used responsibly, and who has access to their identity.”
Full Story

PRIVACY LAW—UK

ICO Orders Cooperation with “Blagging” Investigation (February 13, 2014)

Information Commissioner Christopher Graham has told MPs that 10 companies, including insurers, law firms and security firms are being ordered to cooperate with his office’s inquiry “into the illegal ‘blagging’ of private information,” BBC News reports. The Information Commissioner’s Office’s investigation began last year in the wake of allegations by police that “98 companies had used private detectives to illegally gain information including bank and phone records.” Graham is asking the government to enact "uncommenced legislation” to introduce prison sentences for serious Data Protection Act breaches, the report states.
Full Story

DATA LOSS

More Breaches Announced; U.S. FBI Says Target Breach Just a Foreshadow (February 13, 2014)

A Verizon report has found that a vast majority of companies who achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) annually fail to maintain that status, leaving them exposed to potential breaches and other security risks, Computerworld reports. The report found that 11 percent maintained compliance status between each PCI DSS assessment. Sebastian Maza, Verizon’s head of PCI DSS Asia Pacific, told The Sydney Morning Herald that businesses struggle to detect and address cyber-attacks. Meanwhile, the FBI recently warned retailers that the recent attacks against Target and other brands foreshadow events to come, and a number of brands have announced new breaches.
Full Story

PRIVACY PROFESSION

Which Drives Leadership: Compliance or Strategy? (February 13, 2014)
The privacy profession has changed dramatically during the past 20 years, as has its role within an organization, prompting Information Accountability Foundation Executive Director Martin Abrams to query, “What drives leadership in 2014? Is it the need to have a highly compliant organization in an era where compliance is very complex? Or is a strategic approach to information governance when data moves from being a business facilitator to the driver of innovation?” In this post for Privacy Perspectives, Abrams looks into this debate, observes that skill sets are changing and warns that organizations that think privacy “is just another compliance program will be sitting ducks for strategic errors that will get in the way of innovation.”

PRIVACY COMMUNITY

IAPP Hits 15k Members (February 13, 2014)

At about 10 a.m. EST yesterday, the IAPP gained its 15,000th active member, a milestone that was celebrated here in our Portsmouth, NH, offices with a company-wide e-mail containing 72-point font. And then everyone got back to doing the training, certification, education and member support work that got all those members to join us in the first place. We here on the IAPP Publications Team are grateful to all of you members for the trust you place in us by reading our work and the valuable feedback and volunteerism so many of you contribute on a daily basis.
Full Story

ONLINE PRIVACY

Smart Cities Are Evolving, But Are We Ready? (February 13, 2014)

Computerworld reports on the not-so-distant future of smart cities. To some extent, they’re already here, as governments increasingly use wireless networks, Big Data, web portals and social media, among other technological tools. But a smart city—aimed at enhancing citizens’ quality of life, improving government processes and reducing energy use, among other goals—brings with it a multitude of privacy and data security implications, the report states. Five U.S. cities in particular are taking on initiatives to help manage the change to “smart.”
Full Story

INTERNET OF THINGS

The Privacy Pro’s Guide to the Internet of Things (February 12, 2014)
The rise in Internet of Things (IoT) technology has brought with it a slew of new and difficult challenges for privacy professionals and “will test our skills in the same way the more traditional Internet uses have been challenging our professional ability to identify risks, assess their likely impact and deploy practical solutions for everyone’s benefit,” writes privacy expert Eduardo Ustaran, CIPP/E. In this post for Privacy Perspectives, Ustaran provides privacy professionals with some tips—from notice to security—on navigating the IoT landscape today and into the future.

PRIVACY RESOURCES

Employee Awareness: Where the Rubber Hits the Road (February 12, 2014)

A workforce educated in proper data handling might be one of the most important tools an organization can have for preventing a data breach. Almost all of an organization’s employees touch data of some sort, yet multiple studies have shown insider negligence and disregard for policies are leading factors in breaches. This close-up on employee education and awareness offers tools, tips and insight on how to get everybody on the privacy bandwagon. Find new ways to convey the importance of privacy throughout your organization with posters, videos and tips sheets—including the IAPP’s own “Prudence the Privacy Pro” comic strip. (IAPP member login required.)
Close-Up: Employee Awareness and Education

PRIVACY LAW

Review: Transborder Data Flows and Data Privacy Law Is “Must-Have” (February 12, 2014)

Few people personify the field they work in as much as Christopher Kuner. As a lawyer, European-American, academic and professor, and longtime leader of the ICC, Kuner straddles the fault lines of the privacy world with ease,” IAPP Vice President of Research and Education Omer Tene writes for The Privacy Advisor in his review of Kuner’s latest work, Transborder Data Flows and Data Privacy Law. Tene examines the wealth of information included in Kuner’s book, suggesting it may “constitute one of the building blocks for a new legal edifice being designed and erected these very days, a regulatory model for a technologically borderless world.” Editor's Note: Kuner shares some thoughts from his book in this post for Privacy Perspectives.
Full Story

PRIVACY LAW—EU & U.S.

FTC Announces Settlement Over Safe Harbor Claims (February 12, 2014)

The Federal Trade Commission (FTC) has settled with children’s online gaming company Fantage.com after it “falsely claimed to be a certified participant” in the EU-U.S. Safe Harbor agreement, The Hill reports. In its settlement announcement Tuesday, the FTC noted the company had let its Safe Harbor certification lapse. “This does not necessarily mean that the company committed any substantive violations of the privacy principles of the Safe Harbor framework or other privacy laws,” the FTC said. The proposed settlement prohibits the site “from making similar false claims in the future,” the report states. The FTC is taking “a more proactive look at this program in terms of enforcement,” FTC Chairwoman Edith Ramirez said at an event this week.
Full Story

SURVEILLANCE

Internet Giants, Users Worldwide Take Part in “The Day We Fight Back” (February 11, 2014)

Gizmodo reports on protests happening around the world today as part of “The Day We Fight Back,” a global initiative against governments’ surveillance programs. The Electronic Frontier Foundation is among those calling on Internet users worldwide to participate in the movement, which asserts mass surveillance violates human rights law. Google, Microsoft, Facebook and other tech giants have signed on to the roster of participating groups, National Journal reports. Rep. Matt Salmon (R-AZ) says the U.S. is locked in a “fight of epic proportions” over the constitutional right to privacy, The Hill reports.
Full Story

ONLINE PRIVACY

Google, comScore Team Up; Alternative Search Traffic on the Rise (February 11, 2014)

Google and comScore have announced a partnership to better determine the effectiveness of web-based ads in real time and help businesses change ads on the fly, The New York Times reports. A Google representative said, “It’s going to, for the very first time, give advertisers and publishers real-time insights into whether their campaigns are delivering.” In a blog post, Google said it’s part of a larger plan to bring more transparency to advertising. Forbes reports on the rise in traffic to non-Google search sites. The CEO of Startpage and Ixquick said, “The consciousness is only slowly building on the dangers … It is very easy to see how this treasure trove of data can be misused in the future.” (Registration may be required to access this story.)
Full Story

BIOMETRICS

Facial Recognition Tech Used in Sochi; Expanded Uses Expected (February 11, 2014)

San Jose Mercury News reports on facial recognition software being used at the international airport in Sochi, Russia. Made by U.S.-based Artec Group, the technology uses a 3D camera to identify individual faces with the intent of improving airport security. Artec Group Chief Executive Artyom Yukhin said the software can differentiate between identical twins, isn’t fooled by disguises and has been tested in airports around the world, the report states. Meanwhile, a World Economic Forum report predicts that facial recognition will be implemented as part of fully automatic check-in systems at airports and border crossings by 2025. And last week, the U.S. NTIA kicked off talks aimed at creating a voluntary code of conduct for facial recognition technology.
Full Story

PRIVACY LAW

Two Countries Seek Increased Gov’t Access to Digital Data (February 10, 2014)
Nigeria and Turkey are both considering government-proposed legislation that would require service providers to turn over to law enforcement customers’ data upon request—with fines, and possible jail time for company officers, for noncompliance in Nigeria. In the U.S., senators are addressing breach response and online privacy concerns with bills of their own as the fallout continues from the Target and Neiman Marcus breaches as well as the Snowden revelations. And in Australia, the deadline for the Australian Privacy Principles looms large. The Privacy Tracker’s weekly legislative roundup covers all this and more. (IAPP member login required.)

PRIVACY—EU & U.S.

Letter to the Editor (February 10, 2014)

Last week, The Privacy Advisor covered Federal Trade Commissioner Julie Brill’s Twitter chat, in which Brill took live questions on the relationship between the EU and the U.S. on data processing, the use of mobile devices in healthcare and what the web might look like in a cookie-less world, among other topics. In our coverage, we indicated Brill “shut down the idea” of future EU-U.S. collaboration in her response to a question about whether discussion had “evolved” on plans for a mutual enforcement program between the EU and U.S. In this letter to the editor, Brill clarifies the FTC is “engaged in important ongoing dialogues” on enforcement cooperation in various organizations.
Full Story

BEHAVIORAL TARGETING

Verizon Ad Program Will Track Web Habits (February 10, 2014)

Computerworld reports on recent changes to Verizon Wireless’ Relevant Mobile Advertising Program allowing it “to track your desktop surfing habits on the web and use that information to help advertisers deliver targeted ads to your mobile phone.” In his report, Robert L. Mitchell discusses why he chose to opt out of the program, which will assign users “anonymous unique identifiers” that link back to mobile phones, allowing the company to offer advertisers information to deliver targeted ads. Mitchell writes, “Information is the coin of the realm. So if you have a choice, why give it away? What's your personal data worth? Are you giving it up? And if so, are you getting value in return?”
Full Story

SURVEILLANCE—UK & U.S.

With Drone Use, Privacy Concerns Persist (February 10, 2014)

The U.S. Federal Aviation Administration is investigating the use of a drone at a fatal crash in Connecticut, prompting concerns about safety and privacy, FOX CT News reports. A Hartford Police Department incident report indicated officers spotted the drone with an attached camera flying overhead while “bodies were still in the car,” the report states. Meanwhile, The Guardian examines the questions around drones in this “age increasingly shaped by our attitudes to, and our definition of, privacy.” While noting drones are banned in London, UK, and there are restrictions on their use in residential areas, the report questions “how many uses could there be for a small, silent, fast, remote-controlled drone?”
Full Story

PRIVACY

Tips To Determine If Your Printer has Internal Storage (February 7, 2014)

Some high-end printers and copiers retain digital copies of documents in their internal storage. This PC Magazine report offers tips from its lead analyst for printers and scanners, M. David Stone, on how to determine whether your printer is one of those, and if it is, what precautions to take to be sure it’s inaccessible when you get rid of it. If your printer has private printing or the ability to re-order the print queue via an embedded webpage, it may have internal storage capabilities, Stone says. When in doubt, he recommends opening it up and poking around: “Take it out to the street, and bang on it with a hammer until the insides rattle nicely,” says Stone.
Full Story

PRIVACY LAW—FRANCE

Google Fights CNIL Request In Court (February 7, 2014)

The Wall Street Journal reports that Google has asked a French court to suspend an order requiring it to post a message on its French home page notifying users of the privacy fine levied by Frances data protection authority (the CNIL). A Google lawyer has argued that posting the notice of the 150,000 euro ($204,000) fine causes irreparable damage to the company’s reputation. Patrice Spinosi, a lawyer representing Google, said, “This is something we’ve never seen before … Google has always maintained that page in a virgin state.” The CNIL has said that users of Google’s home page have the right to know that Google has been sanctioned. (Registration may be required to access this story.)
Full Story

INFORMATION ACCESS

Twitter Wants To Tell Customers More (February 7, 2014)

Though the Department of Justice recently announced a deal with major Internet firms to “allow more detailed disclosures about the number of national security orders and requests,” Twitter says the deal doesn’t go far enough. A blog post by Jeremy Kessel, manager of global legal policy, reads, “While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public.” Twitter wants to disclose numbers of national security requests of all kinds separately from all other requests and believes the ranges are too broad to be meaningful. Further, Twitter wants to disclose “that we do not receive certain types of requests, if, in fact, we have not received any.”
Full Story

PRIVACY—EU

Jagland on Balancing Privacy, Security and Info-Sharing (February 6, 2014)

Deutsche Welle reports on comments on data security and privacy protection by former Norway Prime Minister, Nobel Peace Prize Committee Chairman and Secretary General of the Council of Europe Thorbjørn Jagland. Jagland will speak at this summer’s Global Media Forum, the report states, noting the event will explore “the extent to which the right to freedom of expression is negotiable, what its limits are and when these are overstepped, with the danger of private data becoming public property.” Jagland said the Council of Europe is updating its Data Protection Convention, adding “it could be a universal model to ensure a proper balance between privacy, security and information-sharing.”
Full Story

PRIVACY COMMUNITY—FRANCE

Falque-Pierrotin Reappointed CNIL President (February 6, 2014)

Isabelle Falque-Pierrotin will continue to serve as president of France’s data protection authority, the CNIL, for another five years, Telecompaper reports. Falque-Pierrotin joined the CNIL in 2004, serving as its vice president, and became president seven years later. The report notes the CNIL's new vice president and deputy vice president are Eric Peres and Marie-France Mazars. As president, Falque-Pierrotin presides over a college of 17 commissioners, and a total of 11 new members joined the commission in recent weeks.
Full Story

DATA PROTECTION—EU & UK

Handbook Aimed At Raising Awareness (February 6, 2014)

Out-Law.com reports on a new handbook issued by the European Union Agency for Fundamental Rights, the Council of Europe and the Registry of the European Court of Human Rights that “contains a different test from the one used by the UK's Information Commissioner's Office (ICO) for determining whether data is personal or anonymised for the purposes of data protection law.” With anonymisation becoming increasingly difficult, the ICO created a code of practice to determine “anonymisation” in terms of data protection laws, the report states, noting “the new data protection handbook issued by the three European bodies contains a different test for defining when personal data can be said to have been anonymised.”
Full Story

PRIVACY LAW—EU & SPAIN

Takeaways from the First Cookie Consent Fines (February 6, 2014)

Last month, Spain’s Data Protection Authority (DPA) issued its first fines since its implementation of the EU “cookie consent” requirement, prompting Nuria Pastor to write for the Field Fisher Waterhouse Privacy and Information Law Blog of the messages to take away from this case. Among those takeaways, Pastor writes, “Even though cookies are part of our everyday life, European regulators perceive the use of cookies as intrusive—this is explicitly stated in the decision. As a result, time, resources and efforts will be invested to tackle their unlawful use.” She also cautions that “the grace period has long been over. If you have not already done so, it is important to get your house in order now.”
Full Story

PRIVACY LAW—GERMANY

Court Clarifies Credit-Scoring Rules, Finds “Send-To-A-Friend” Messages Are Spam (February 6, 2014)

The Privacy Tracker reports the Federal Court of Justice has clarified data subjects’ rights of access to their credit scores under the Federal Data Protection Act. Meanwhile, in a Mondaq report, Field Fisher Waterhouse’s Stephan Zimprich examines the court’s ruling “that e-mails sent via ‘send-to-a-friend’ functionality on websites must be considered illegal spam e-mail unless the recipient expressly consented to receive the e-mail.” Zimprich notes the decision finds that website service providers, and not the users, are responsible for obtaining consent.
Full Story

PRIVACY LAW—EU

Experts: Privacy Criteria Could Undermine Media (February 6, 2014)

The inclusion of privacy criteria in freedom of expression cases is prompting concerns from experts that the result could be the undermining of media efforts to uncover the truth, The Guardian reports. A series of European Court of Human Rights (ECHR) judgments “has begun to blur the boundaries between privacy and defamation cases,” the report states, citing concerns from legal experts and advocates that “the ECHR precedents could ‘hamper investigative journalism’ in Europe.” Media and privacy expert Hugh Tomlinson warns, “In three recent defamation cases the (ECHR) has analysed the issues not on the basis of truth and verification but using criteria designed to strike a balance … in privacy cases.”
Full Story

DATA BREACH—FINLAND

Cyber-Espionage Attack Under Investigation (February 6, 2014)

The Ministry for Foreign Affairs is investigating a cyber-espionage attack it sustained, The Helsinki Times reports, noting the ministry has determined the methods used. The ministry is finalising a report on the breach to present to government officials in March. “The investigation has progressed. We know the channel but don't know the party behind it. We therefore know where the infection came from and what opened the hole in our data network,” says Ari Uusikartano, the director general of the division, adding, “We are beginning to have quite a lot of information on how the attack has taken place and what methods were used.”
Full Story

HEALTHCARE PRIVACY—EU & UK

Group Concerned Proposals Threaten Research (February 6, 2014)

Out-Law.com reports on a coalition of health and scientific research firms, including several from the UK, lobbying MEPs and EU ministers “in an effort to ensure new EU data protection laws do not stifle medical research.” The group is raising concerns that current proposals could “severely threaten” research, the report states. “Concerns about patient confidentiality are legitimate and it is essential that people’s privacy is protected,” said Dr. Jeremy Farrar of the Wellcome Trust. “But when the safeguards become disproportionate, they benefit no one." Changes supported by MEPs in October and set to be voted on in the spring “are disproportionate and put at risk future medical research and improvements in health,” he said.
Full Story

MOBILE PRIVACY

Apple Cracks Down on Tracking Apps; Developers Unhappy (February 5, 2014)

NBC News reports that Apple has started cracking down on mobile apps that collect Identifiers for Advertisers (IFAs) without actually showing any advertisements to the user. Until this week, a clause Apple added in its developer license agreement had gone unenforced. Mixpanel’s Suhail Doshi said, “I really believe that most developers using IFA are trying to (understand) if spending money on advertising was cost effective—as opposed to ‘spying on their users.’” Doshi also warned, “The new policies around it are now likely to cause app developers, as a last resort, to do things that will be worse for consumer privacy as they work around IFA—with far less transparency.”
Full Story

PRIVACY COMMUNITY—IRELAND

Hawkes Will Not Seek Reappointment as DPC (February 5, 2014)

When his current term comes to an end next year, Data Protection Commissioner (DPC) Billy Hawkes will not be seeking reappointment. That’s according to a Bloomberg BusinessWeek story on Hawkes’ work in the nine years since he was appointed DPC—back when “Gmail was still in beta; Facebook was only open to a handful of colleges, and Steve Jobs was secretly designing a mobile phone.” Mark Milian writes that although “Hawkes says he won’t seek reappointment in 2015 when his current term as commissioner ends … he should have plenty to do before then” with Twitter and Dropbox operations in Ireland, the current examination of LinkedIn’s policies and the DPC’s placement “in the middle of a tech tug of war.”
Full Story

DATA PROTECTION—IRELAND

Yahoo Moves to Ireland, Preps for DPC’s Audit (February 5, 2014)

Yahoo will undergo a privacy audit by the Irish Data Protection Commissioner (DPC) following the company’s announcement to the DPC that it would move all of its data processing facilities in Europe to Ireland, the Independent reports. DPC Billy Hawkes said it’s standard procedure to audit any Internet firms processing personal information in Ireland; Hawkes’ office is now completing an audit of Dublin-based LinkedIn. Hawkes has recently voiced disapproval of public-sector entities’ handling of personal data—even calling out the Department of Social Protection as being “substandard” in its protection methods.
Full Story

DATA PROTECTION

How To Change Employee Password Habits (February 4, 2014)
Password reuse across multiple websites and company logins is a major weak link in company security systems. In a survey CSID conducted in 2012 on password habits, 61 percent of the respondents reused the same password for multiple sites, and 44 percent of respondents reported they change their passwords once a year or less. Employee password reuse creates a new layer of risk for businesses, especially when major enterprises are hacked. A breach today can affect more than just the initial company—it can affect your business and many others, writes Joe Ross in this exclusive for The Privacy Advisor.

INTERNET OF THINGS

Thierer: Let’s Not Hit the Panic Button Just Yet (February 4, 2014)

The rise of Internet of Things (IoT) connectivity has brought with it increasing concerns about privacy protection and “the potential for massive security threats and privacy violations in a world of always-on, always-sensing devices,” writes Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center. Though “there are some valid reasons for concern,” he notes, “it may be the case that some of the problems we fear today never come about.” In this post for Privacy Perspectives, Thierer argues that there isn’t yet need to hit the panic button as “most of us will likely quickly adapt to this new era” and “will likely find practical solutions to many of the problems that arise.”
Full Story

DATA PROTECTION

Lawmakers Optimistic Data Privacy Law Will Pass; PCI DSS “Remains Solid” (February 4, 2014)

While SC Magazine reports on the current state of global data breach legislation, The Hill reports some U.S. lawmakers are optimistic that a data privacy law will pass this year. Rep. Joe Barton (R-TX) said, “It’s one of the few issues in the next 10 months that the House and Senate can work with the president on … I’ll go out on a limb here and predict that we’ll actually do that.” Meanwhile, in an interview with Computerworld, the Payment Card Industry Security Standards Council's Bob Russo said the standards are solid, and the Independent Community Bankers of America said at a hearing Monday that retailers should ultimately pay for a breach when hit by one. In healthcare, a recent study revealed that breaches cost healthcare providers $1.6 billion per year.
Full Story

SURVEILLANCE

Tech Giants Publish Updated Government Data Request Stats (February 4, 2014)

Google, Microsoft, Apple, Yahoo, Facebook and LinkedIn published new U.S. government data request statistics on Monday, CNet News reports, a week after the resolution of a lawsuit with the U.S. Department of Justice. The reports show a dramatic uptick in NSA data requests over the past year, the report states. A representative from the ACLU said though the reports were helpful, “they’re not nearly enough” for the public to assess the scope of the requests. In other surveillance-related headlines, Wired reports on a case involving the government order to Lavabit to hand over its SSL keys, and the Chaos Computer Club is suing the German government for allegedly helping foreign intelligence services—including the NSA and the UK’s GCHQ—monitor German citizens and compromise their privacy, ZDNet reports.
Full Story

PRIVACY

Ten Steps to a Quality Privacy Program, Part Six: Test Your Incident Response Program (February 3, 2014)
In part six of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, looks at testing incident response programs. This can involve key stakeholders from various departments and potentially happen twice a year, involving a number of action items. "You do not want to find yourself in the middle of an incident and realize that you do not have what is needed to respond efficiently and effectively," Rodriguez writes in this exclusive for The Privacy Advisor.