Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More

Current Issue

Feature Stories

What Did You Expect? The FTC’s Two Newest Settlements

The Federal Trade Commission (FTC) has recently announced settlements with both Fandango and Credit Karma, whose smartphone apps contained the same critical security flaw: a failure to validate Secure Socket Layer (SSL) certificates, one of the most basic and well-established security practices out there. To help businesses and practitioners minimize their own regulatory surprises, the IAPP Westin Research Center has compiled an in-depth overview of the cases.

Goodwin Procter Expands with Stegmaier

Gerry Stegmaier, CIPP/US, a longtime lawyer in the privacy space and current member of the IAPP Education Advisory Board, has moved from Wilson Sonsini Goodrich & Rosati to join the privacy practice at Goodwin Procter. “It means about 15 minutes more commuting time each way,” he joked, “further into the heart of DC, right across from the Renaissance Hotel,” which should be familiar to those who attended early versions of the IAPP Global Privacy Summit. Publications Director Sam Pfeifle talks with Stegmaier about what triggered the move, where the industry is headed in the next five years and why it’s a good time to be a privacy professional.

The Court Says FTC Can Punish Rulebreakers, but What Exactly Are the Rules?

If anyone was having a case of the Mondays this week it was Wyndham Hotels and Resorts, after a District Court of New Jersey judge denied the company’s motion to dismiss a Federal Trade Commission (FTC) lawsuit alleging Wyndham violated Section 5 of the FTC Act. Some say it’s a landmark decision that emboldens the FTC’s authority as a de facto privacy regulator and could even thwart national privacy legislation, while others say the decision simply gives the FTC the power to regulate concepts that aren’t well defined, as they haven’t been proscribed succinctly for companies aiming to comply with rules effectively created piecemeal via FTC consent decrees. In this exclusive, Angelique Carson, CIPP/US, rounds up reaction from industry, academia and activists regarding a case that may be closer to the starting line than the finish line.

Asian Regulators in Lock-Step with Global DPAs

With their respective keynote addresses at the inaugural IAPP Asia Privacy Forum, Hong Kong DPA Allan Chiang and Singapore Personal Data Protection Commission member Aileen Chia sent a cohesive message: Those companies making a good faith and concerted effort to respect their customers’ privacy have nothing to fear from regulators.

Court Ruling Moves FTC v Wyndham Forward; FTC Has Data Security Authority, Judge Rules

In what many are calling an important ruling, a federal court in New Jersey has shot down a challenge to the Federal Trade Commission (FTC) by Wyndham Hotels. In round one of the challenge, Wyndham argued the FTC overstepped its authority by suing companies for poor data security practices. The ruling by U.S. District Court Judge Esther Salas, however, denied the hotel chain’s motion to dismiss, saying the case can move forward. Salas noted her ruling “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked” but added there is “binding and persuasive precedent” upholding the FTC’s authority.

With Big Data and Privacy, What Should the Regulators Know?

In the third and final series of meetings called for by the White House as part of its Big Data and privacy initiative, privacy experts, academics, industry representatives and government regulators convened to hash out the benefits and challenges posed by the Big Data ecosystem. Hosted by the White House Office of Science and Technology Policy, the UD Berkeley School of Information and the Berkeley Center for Law and Technology, the day featured panels covering privacy values, the challenges of health and education, algorithms and transparency and privacy governance. Jedidiah Bracy, CIPP/US, CIPP/E, sums up the key points.

The Evolving Nature of Consumer Privacy Harm

Curry v. AvMed, Inc. moves the mark once again

In the privacy world, few questions are as fundamental and pervasive as “what constitutes privacy harm?” Scholars continue to debate what it means to suffer a privacy injury, but even as they continue to debate theory, high-profile data breaches continue to hit the newsstands, class-action lawsuits follow; the Federal Trade Commission and state attorneys general launch enforcement actions, and consumers complain in record numbers to federal and state legislators. IAPP Westin Fellow Kelsey Finch examines the case of Curry v. AvMed, Inc., and the question of what breaches are actionable and which harms are compensable.

UMaryland President: Breach Would Have Bankrupted Many Institutions

FTC Urges Congress To Grant it Civil Penalty Authority Over Nonprofits; Target Called on the Carpet

Representatives from the University of Maryland and Target—organizations that have both suffered large data breaches in recent months—along with the Federal Trade Commission (FTC), Visa and others, testified before the Senate Commerce, Science & Transportation Committee March 26 on protecting consumer data and fighting cyberattacks. Jedidiah Bracy, CIPP/US, CIPP/E, reports on the testimony and the FTC’s calls for jurisdiction over nonprofits.

NTIA Continues To Tackle the Future of Facial Recognition

Facial recognition technology, whether you’re a friend or foe, has a robust future, something clearly on display during the National Telecommunications & Information Administration’s (NTIA) March 25 multi-stakeholder meeting on creating a code of conduct for the technology. With the NTIA still in the gathering and learning stage, the meeting featured presentations from technology experts, some industry representatives and the Federal Trade Commission.

Summer Privacy Institute Will Bring Invaluable Education to Lawyers, Managers, Privacy Pros

As the most recent iteration of the IAPP's Global Privacy Professionals Salary Survey results revealed, in the privacy field it is those with law degrees who report earning the highest salaries and those with a Certified Information Privacy Professional (CIPP) designation reported salary levels outpacing even those with Master of Business Administration degrees. Enter this year’s IAPP Information Privacy Summer Institute, providing privacy education from leading privacy scholars and an opportunity for law school or professional development credit.

Attacking Data Leakage

A start-up, and attendant nonprofit, focus on privacy in the publishing industry

“Publishers don’t really have their arms around their audiences in the way they used to,” said Joe Titlebaum. “The people who understand audiences the best are the ad tech folks.” Many publishers are uncomfortable with that, which presents a market opportunity. Titlebaum is chief legal and privacy officer for Mezzobit, a New York City-based start-up that’s focused on helping online publishers both understand their audience and prevent data leakage that might present privacy issues or simply make their readers uncomfortable.

Why Isn't Peter Hustinx on a Beach in New Zealand by Now?

In January, European Data Protection Supervisor (EDPS) Peter Hustinx and his staff celebrated the EDPS’ 10th year as an institution. Hustinx had all but blown out the candles on his proverbial “Bon Voyage” cake when the European Commission said, “Not so fast.” Though his two-term run had expired, the commission deemed the five candidates it interviewed to replace him late last year “inadequate.” Hustinx, Slovenia Information Commissioner Natasa Pirc Musar and Covington & Burling’s Henriette Tielemans weigh in on the delay in filling this crucial role.

Designing and Implementing an Effective Privacy and Security Plan

In its 2013 global data breach study, the Ponemon Institute reported that data breaches experienced by U.S. companies continue to be the second most expensive in the world at $188 per record. The study also reported that U.S. companies had the second greatest number of exposed or compromised records per breach at 28,765, resulting in an average total organizational cost of more than $5.4 million per data breach. Your company can mitigate the high costs of remediating a data breach by having a strong security posture and incident response plan, assembling a proper team to oversee your privacy and security practices and having a plan for breach remediation, writes Ronald Breaux.

Think Outside the Box; The Crooks Always Do

For consumers, identity theft seems to be the number-one concern, according to the FTC and a recent Ponemon survey. As privacy pros, putting ourselves in the customer’s shoes can foster perspectives that should lead to making the right decisions as risk managers, writes Matt Storer. Here are some scenarios to consider.

Are Doorstep Drone Deliveries Just Around the Corner?

Until recently, there was little concern that commercial drone technology might outrun the legal framework for dealing with it. The Federal Aviation Administration (FAA) has rarely issued certifications for commercial drones. But the FAA now has a mandate to open the national airspace to drones. And in a sign that the future may arrive sooner than expected, last month an administrative law judge reversed the FAA’s imposition of a $10,000 fine against an aerial videographer for using a drone to shoot a promotional video, saying the FAA had exceeded its authority under existing rules. In part two of this three-part series, Michael Whitener, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPP/IT, CIPM, zooms in on what the future may hold. Missed part one of this series? See it here.

Europe Seeks To Rise Up and Compete on Cloud Computing

Several recent activities have converged with longer-standing efforts to push cloud computing forward in Europe. Swirling around these activities have been violations of European government and citizens’ privacy via the U.S. PRISM program, lingering doubts about the effectiveness of the EU-U.S. Safe Harbor Agreement and the steady drumbeat of headline-grabbing data breaches undermining confidence in the cloud. Thomas Shaw, CIPP/US, looks at Europe’s plan to become a leading jurisdiction in cloud computing.

FTC: Undeterred by Challenges to Its Authority

Over the past few years, the Federal Trade Commission (FTC) has become increasingly active in investigating and enforcing violations of federal statutes governing privacy and data security and has also recently focused its attention on other privacy issues—including data brokers, the Internet of Things, Big Data, the U.S.-EU Safe Harbor Framework and deceptive privacy policies. Corey M. Dennis, CIPP/US, takes a close look at key FTC cases and their practical implications.

Good Cybersecurity Means Good Info Governance

While cybersecurity sounds like a highly specialized knowledge area, much of the work necessary to protect business data does not fall within the purview of the technical cyber specialists. The foundation of any good information security program is good information governance. In short, before you secure your data, you have to know your data. You have to know what data you have, where you have it, why you have it and how you use it. This may seem like a seductively simple task, but often it is not, writes Brian Boyd, CIPP/US.

Why Is the U.S. on the Defensive?

NSA surveillance may greatly exceed that of any other free-world intelligence agency, and the NSA allegedly has diminished security by covertly inducing the use of “back doors” in communications products and systems. But those who say the EU trumps the U.S. on privacy protections may be overlooking a few inconvenient points, writes David Bender.

Privacy Act Officers Should Also Be Well-Versed in FOIA

Privacy Act (PA) requesters typically are not aware of how their request may unfold regarding the information they are requesting. Oftentimes, they don’t know or understand how their requests can easily transition into a Freedom of Information Act (FOIA) request. As such, experienced PA officers should not only have a depth of experience in the PA program but also a breadth of experience and understanding of the FOIA framework in order to facilitate quality customer service, writes Office of Natural Resources Revenue FOIA and PA Officer Richard Lopez, Jr.

Ten Steps to a Quality Privacy Program, Part Eight: Apply Lessons Learned from Others’ Mistakes

In part eight of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, discusses the importance of learning from others’ mistakes. “Regulators take a hard line on mistakes that have been in the press and that are then repeated by others. Look for headlines in which fines and penalties, large breaches or other privacy- or security-related issues are discussed,” writes Rodriguez.

Are You Ready for Express-Consent CASL? ‘Cause It’s Coming

Though the government has promised to help coach proactively through the transition, organizations would be wise to start taking steps toward compliance with Canada’s anti-spam legislation (CASL), which becomes effective July 1. CASL will affect any individual, business or organization that uses commercial electronic messages (CEMs) or transmits data in electronic messages. In short, it requires senders to obtain express consent for commercial electronic messages. Angelique Carson, CIPP/US, examines the law’s provisions with insights from industry and privacy experts.

Lookout Releases Free, Open-Source Short Form Privacy Policy

You know the privacy policy story by now: While ostensibly intended to inform users of what a company will do with their personal data, the egregiously long, riddled-in-legalese documents have evolved into a formality rather than a meaningful contract for users themselves. That’s why Lookout has just released an open-source tool that aims to revolutionize that. “Private Parts” allows app developers to customize short-form privacy policies for their brands or products in five steps, or under an hour. Angelique Carson, CIPP/US, has the story.

Privacy News