Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
Facebook’s White Hat Program Helped Uncover Glitch (June 28, 2013)
Facebook this week announced that a glitch exposed the personal information of six million users. In an interview with The Privacy Advisor, the company discusses how its White Hat program, which invites external security researchers to report vulnerabilities, in some cases for a monetary “bug bounty,” helped discover the problem and why it felt the need to report the breach.
Are Multiple Mobile Privacy Guidelines Helping or Hurting the Mobile Ecosystem? (June 27, 2013)
Never has the mobile app ecosystem been as popular and dynamic as it is now. Smartphones and the use of mobile apps are practically ubiquitous and are giving the economy a needed boost. With that boost, though, come very unique privacy concerns and challenges. And privacy regulators have taken notice.
Former U.S. Rep Bono Joins Leibowitz to Co-Chair New Privacy Coalition (June 27, 2013)
A group of the nation’s largest telecommunications companies have founded the 21st Century Privacy Coalition, Adweek
reports. The coalition will be co-chaired by former Federal Trade Commission Chairman Jon Leibowitz and former U.S. Rep Mary Bono. Founding members include AT&T, Comcast, CTIA-The Wireless Association, Directv, Time Warner Cable, Verizon and the U.S. Telecom Association. In an exclusive interview with the IAPP, Bono said the coalition has nothing to do with the recent NSA revelations and has in fact been in the works for some time, dating back to when she was still serving as chairwoman for the Subcommittee of Commerce, Manufacturing and Trade. “It was clear there was a need,” she said.
FTC, Irish DPA Reach Mutual Enforcement Agreement (June 27, 2013)
Federal Trade Commission (FTC) Chairwoman Edith Ramirez and Ireland Data Protection Commissioner Billy Hawkes have signed a memorandum of understanding (MOU) to “promote increased understanding and communication” between both agencies, an FTC press release states. Ramirez said the MOU “is a step forward for the FTC in cross-border privacy enforcement,” and that, “Working closely with our international partners in this area benefits both consumers and companies.”
How UI and UX can KO privacy (June 27, 2013)
Will Dayable, co-director at Squareweave, a developer of web and mobile apps, plus an all-around entrepreneur and proud Aussie, and Jason Hong, associate professor at the Human Computer Interaction Institute at Carnegie Mellon, teamed to provoke the nearly 300 attendees at Navigate 2013 into thinking about how UX (User Experience) and UI (User Interface) affect the way people experience and understand privacy.
If Nine of 10 Employees Knowingly Breach Policy, How Is Privacy Possible? (June 25, 2013)
Earlier this year, a survey taken over several years found that out of 165,000 employees surveyed, 93 percent of them knowingly violate policies designed to prevent data breaches. Privacy professionals burn the midnight oil crafting policies in line with best practices. But such policies don’t stand a chance at protecting consumer data if the employees charged with practicing model data-steward behavior could care less about doing so. So how can a company ensure that its people are complying with the policies it promises to practice?
Privacy, Transparency and Google’s Blurred Glass (June 25, 2013)
SPAIN—DPA Releases Guidelines on Cloud Computing Services (June 25, 2013)
In April, the Spanish Data Protection Agency released several guidelines on cloud computing addressed, on the one hand, to providers of cloud computing services and, on the other hand, to their clients or users of those services.
Privacy Front-and-Center: Rounding Up the NSA Fallout (June 25, 2013)
Over the course of the last few weeks, two leaked U.S. National Security Agency surveillance programs have put privacy issues in the headlines across the globe. Debate about privacy versus security has raged, and trade talks between the U.S. and EU have been affected. Between government and industry reaction and a smattering of opinion, there’s been a lot to follow. Here, we try to piece it all together.
Revelations on PRISM Should Not—But Likely Will—Affect the General Data Protection Regulation (June 24, 2013)
Recent revelations relating to PRISM and the Verizon FISA Order should not—but likely will— affect the current talks to enact the General Data Protection Regulation. These disclosures may make international data transfers to third countries more prescriptive, affect current and future adequacy decisions and frustrate businesses engaging in international data transfers. Considering that government surveillance is a global reality, erecting barriers to transfers of personal data for businesses is unlikely to make good sense.
Privacy Board To Host Workshop on NSA Surveillance Programs (June 24, 2013)
The Privacy and Civil Liberties Oversight Board (PCLOB) met with President Barack Obama in the first-ever meeting between the two. PCLOB Chairman David Medine told the IAPP the board “informed the president” that it “is undertaking a review of the recently revealed surveillance programs as a top priority.”
10 Steps to a Quality Privacy Program: Part One (June 23, 2013)
The May edition of The Privacy Advisor
featured an article on the “Ten Steps to a Quality Privacy Program: Taking Your Program to the Next Level.” This is the first of a series of articles that will drill down on each recommended step in an effort to help those just getting started on or revamping existing policies. Step 1: Creating Roadmaps on Requirements.
UK--Government Hosts Consultation on Proposed EU Cybersecurity Directive (June 23, 2013)
The UK Department for Business, Innovation and Skills has held its call for evidence on the European Commission's proposed Directive on Network and Information Security. The directive, published on 7 February as part of the EU Cybersecurity Strategy, would mandate compulsory reporting of security breaches that have a “significant impact” on the provision of core services.
NSA Leak Implications Continue (June 20, 2013)
From connections between the National Security Agency (NSA) and various leaders at start-ups in Silicon Valley to questions of whether the NSA leaks will prompt an EU data protection rewrite, reports on the continued implications of the recent revelations abound. This exclusive highlights the key headlines, including a recent report from The New York Times
on the connection between a former Facebook CSO and the NSA, a Reuters report on Wednesday’s cloud security summit and Sir Martin Sorrell’s comments in The Guardian
that the NSA revelations are a “game changer.”
GERMANY—American “Prism” Program: Criticism from German Businesses, Officials (June 19, 2013)
Reportedly, the PRISM program allows the U.S. National Security Agency (NSA) to access the data collected by several American businesses including Amazon, Apple, Facebook, Google and Microsoft. The exposure of the program caused concerns among politicians as well as the business community in Germany.
A Case for Making the CSO Your New BFF (June 19, 2013)
The chief security officer and chief privacy officer at any given company can seem to occupy very different job functions. But the truth is the two positions can be exponentially fortified by working together.
Maintaining Location Privacy in the Digital Age (June 18, 2013)
Alarm has been raised about the dangers of having real-time location data widely available. For children and victims of domestic abuse, the concern can be real and warranted. However, as the privacy community debates the merits of geolocation, one glaring issue is not being addressed. The fact remains that a person’s home address is public information and can easily be found on the Internet.
BRAZIL--BYOD Trend On the Rise, Rules Should Be Clarified (June 18, 2013)
The time has gone when access to cutting-edge technology was limited to individuals working in enterprise environments. Today, information is freely available about the quality, robustness and efficiency of products, which enables ordinary users to receive and track news of what the domestic or international electronics market has to offer. On the other hand, many companies still operate more traditional forms of supply acquisition, with all the usual bureaucracy and delays. This, combined with volatile budget policies, leads to a tendency for a decrease in the pace of technological modernization in the workplace.
Rich Appointed Head of Consumer Protection (June 18, 2013)
The FTC announced Chairwoman Edith Ramirez’s appointment of seven senior staff members, including Jessica Rich, a privacy expert who will now serve as director of the Bureau of Consumer Protection. In this exclusive, Rich says that privacy is an area in which the FTC believes consumer protection is very important, and that, in line with Chairwoman Edith Remirez’s emphasis that the agency plans to be aggressive on privacy, the commission will use the tools in its belt to “the fullest extent possible” to protect consumers, including Section 5 of the FTC Act, the Fair Credit Reporting Act and COPPA.
GERMANY--Karlsruhe Administrative Court: No Access to Backup Copies (June 18, 2013)
On May 27, the Administrative Court of Karlsruhe passed its judgment in a case that had attracted major public interest in the German media because the former prime minister of the state of Baden-Wuerttemberg was a party in the proceedings. However, the judgment is of interest not only for its political but also its legal impact.
HUNGARY--Highlights from the new DPA’s “Year One” (June 18, 2013)
As of 1 January 2012, a new data protection supervisory authority was established in Hungary called the National Authority for Data Protection and Freedom of Information, or Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH).
Feds Permit Some National Security Data Requests; Obama Defends Programs (June 17, 2013)
The U.S. government has said that U.S. tech firms may publish government requests for user data but can only do so when combined with state and local government requests. In our continuing coverage of the National Security Administration surveillance program leaks, we look at responses from Google, Apple, Facebook and Microsoft as well as reactions from President Barack Obama, who has defended the programs,
PRISM Revelations May Affect Global Privacy, Anti-Terror Policy (June 14, 2013)
NSA Leaks Has Canadian Officials Looking at Domestic Surveillance (June 14, 2013)
The fallout from the U.S. National Security Agency’s (NSA) surveillance programs has Canadian officials, including Privacy Commissioner Jennifer Stoddart, looking at the Canadian government’s surveillance of phone and Internet records. AFP reported earlier this week that Defense Minister Peter MacKay signed a directive in 2011 renewing a program that sifted through phone and Internet records to detect suspicious activity.
NSA Leaks: EU-U.S. Tensions on the Rise, Europe Reacts (June 13, 2013)
The past week has been filled with news about the U.S. National Security Agency’s (NSA) surveillance programmes. Initially published by The Guardian
, whistleblower Edward Snowden discusses his reasons for leaking the classified programmes. The Privacy Advisor
has been compiling the many angles and shockwaves that have been sent through the privacy and data protection community.
Sen. Asks PCLOB To Probe NSA Programs, Questions NSA Head (June 13, 2013)
At a Senate Appropriations Committee hearing, Sen. Tom Udall (D-NM) said he sent a letter, with bipartisan support, to the Privacy and Civil Liberties Oversight Board (PCLOB) asking it to “make it a priority” to investigate the National Security Agency’s (NSA) dragnet phone surveillance and PRISM programs to determine whether they were “conducted within the statutory authority granted by Congress” and “take the necessary precautions to protect the privacy civil liberties of American citizens under the Constitution.”
EU-U.S. Tensions on the Rise; Some Gov’t-Google Sharing Details Revealed (June 13, 2013)
The recent leaks of the National Security Agency’s surveillance programs are increasing tension between the U.S. and EU. Financial Times
reports that the Obama administration lobbied in 2012 to have certain measures removed from the proposed EU data protection regulation that would have “limited the ability of U.S. intelligence agencies to spy on EU citizens.”
PRIVACY IN POPULAR CULTURE: IAPP Members in the News (June 13, 2013)
If nothing else, the news that has been rippling around the globe about the U.S. government’s surveillance practices has brought privacy to the forefront of public discourse. Therefore, it shouldn’t be surprising that our IAPP members are showing up all over the media in recent days. We wrap up some of what we've seen.
AUSTRALIA—NSA Leaks Reach Australian Shores (June 13, 2013)
The recent disclosure of the U.S. National Security Agency’s surveillance programmes has transcended national borders, sending shockwaves throughout the privacy community.
Tech Firms, Lawmakers Respond to NSA Leak (June 12, 2013)
As the recent NSA disclosures ripple their way through the privacy community, our continuing coverage today looks at reactions from major U.S. tech companies and several U.S. lawmakers, as well as the inevitable rise of lawsuits being filed and potentially fraying relations between the U.S. and EU over past and future data-sharing agreements.
PRIVACY IN POPULAR CULTURE: This NSA PRISM Story Isn’t Funny … Except When It Is (June 12, 2013)
This NSA PRISM and online surveillance story is enormously important. It has opened up a new nationwide, perhaps global, discussion on personal privacy and the tradeoffs people are willing to make between privacy and security. It may lead to new law, new cultural norms, new technology. However, it has already led to some excellent material for some very funny people. We would be seriously remiss if we didn’t sift through it a bit.
NSA Leak Continues To Send Shockwaves Through Privacy World (June 11, 2013)
In our continuing coverage of the fallout from the recent leak of the National Security Agency's surveillance programs, a slew of implications—from effect on trade negotiations, to developments with the proposed EU data protection regulation, to calls for baseline privacy legislation in the U.S.—are continuing to emerge this week.
Reactions to NSA Disclosures Continue (June 10, 2013)
More news about the leaking of top secret surveillance programs conducted by the National Security Agency came to light over the weekend with The Guardian’s
video interview of former technical assistant for the Central Intelligence Agency Edward Snowden.
The NSA’s PRISM Program and Reactions (June 7, 2013)The Washington Post
reports on the U.S. National Security Agency’s online data surveillance system called PRISM. According to leaked documents and Power Point slides, the NSA and the Federal Bureau of Investigation “are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents and connection logs” that allow intelligence analysts to track foreign threats.
EU Regulation Roundup: Move Toward Business-Friendly; May Be No Vote until December (June 7, 2013)
In a meeting of justice ministers from the 27 European Union member states, The New York Times
reports that an agreement was reached on a “business-friendly proposal” for the contentious EU data protection regulation that would take a risk-based approach to regulating companies that gather data. However, there remains a long row to hoe, and some MEPs are now predicting there will be no vote on the regulation until December at the earliest.
Council of European Union Releases Draft Compromise (June 5, 2013)
A new chapter in the long and winding history of the proposed EU data protection regulation was opened late last week with the release of a draft compromise text by the Council of the European Union’s Justice and Home Affairs.
Budget May Stop Maine Bill Requiring Warrant for Geodata (June 5, 2013)
Maine’s House and Senate have both essentially passed LD 415, An Act To Require a Warrant To Obtain the Location Information of a Cell Phone or Other Electronic Device. LD 415 would do basically what its title says, with some 90-day delay allowances at the discretion of a judge. However, the bill does not yet sit on the governor’s desk awaiting signature. Because the bill has been assigned a fiscal note of roughly $234,000 over the next two years, it now sits with the Appropriations Committee, which must decide whether there is funding in the budget to cover the expense.
Consent Is King in Latin America: Navigating the Eight Existing DPAs with a Look to the Future (June 3, 2013)
While Latin American privacy laws have largely been based on European frameworks in order to facilitate business, their prescriptive nature on data breach disclosures and cross-border transfers may more likely keep businesses away than draw them in. That was the message in a recent IAPP web conference on “Keeping Up with Data Privacy Developments in Latin America,” led by Matthew S. DelNero, partner at Covington & Burling, and Mariana Tavares de Arujo, partner at Levy & Salomao Advogados, who also discussed Brazil’s impending data protection law.
Data Breaches: A Roundup (June 3, 2013)
Data breaches continue to plague organizations across industry sectors. Here’s a look at some of the breaches that have hit businesses in the last two weeks.