Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
U.S. Intel Officials Defend Programs; EU Fallout Continues (October 30, 2013)
Top U.S. intelligence officials testified yesterday in a rare open hearing with the House Intelligence Committee, with National Security Administration Director General Keith Alexander and Director of National Intelligence James Clapper among them. While they were in concert with one another, the House committee members were, at times, singing different tunes. This exclusive reports on the hearing and rounds up the fallout from continued leaks about U.S. intelligence operations and how they’re affecting trade talks and the Safe Harbor with the EU.
Fordham Law Develops Privacy Curriculum for Middle Schoolers (October 30, 2013)
Teenagers are tough to keep track of. After school, it’s on to sports practice and social lives and the rest. But one central place they can be found en masse is online. Not only are 93 percent of 12 to 17 year olds online, according to a recent study from the Pew Internet & American Life Project, but they’re sharing more about themselves than ever before. It’s that kind of data that prompted Fordham Law’s Center on Law and Information Policy to use funds from a cy pres privacy settlement to establish open-sourced curriculum for middle school kids, reports this exclusive. More than a dozen U.S. law schools have signed on to the program.
Location Tracking: Now Coming to a Government, Employer and Retailer Near You (October 29, 2013)
Location tracking has become a hot button issue with implications for government surveillance, employee monitoring and consumer tracking online and in-store. Hundreds of millions of users carry a smartphone with them every step of the day, and as these devices send and receive electronic signals they silently map their user’s movements. More and more organizations are seeking to utilize this data, and while the industry for location tracking analytics is becoming more sophisticated, so too is the range of interested parties – including regulators.
Strickland new CPO at JP Morgan Chase (October 28, 2013)
Last week marked Zoe Strickland’s, CIPP/US, CIPP/G, CIPP/IT, first as managing director, SVP and CPO at JP Morgan Chase, as she has left her post at VP and CPO at UnitedHealth Group to take on the new role in the financial services industry.
FTC’s Brill to Technologists: This Is Your Call to Arms (October 24, 2013)
Speaking at the Polytechnic Institute of New York University, U.S. Federal Trade Commissioner Julie Brill expanded upon her Reclaim Your Name initiative by declaring a call to arms to the next generation of computer scientists, engineers, programmers and technologists, asking them to help develop and create technological solutions to the Big Data-privacy quandary. She presented three main challenges that need the help of technologists: finding tech solutions for the Fair Credit Reporting Act, the Internet of Things and increased transparency mechanisms.
Cookies' Days Are Numbered, but Not Without a Fight (October 22, 2013)
Despite a recent court ruling that may seem to indicate otherwise, cookies will go extinct. Firms including Google and Microsoft are already developing alternatives. What that technology will specifically look like is not clear. What is clear is that the replacement will likely concentrate huge amounts of data with a few controllers and be able to track a user across platforms—including desktop, mobile and in the home. The benefits of this new technology though may not outweigh the risks, writes David Tashroudian.
BELGIUM—Gov’t Introduces Broad Data Retention Obligations (October 22, 2013)
The Belgian government recently issued a Royal Decree which lays down broad data retention obligations for telecom, Internet access and webmail providers. The Royal Decree of September 19 Executing Article 126 of the Electronic Communication Act of June 13, 2005 transposes the EU Data Retention Directive into Belgian law. After establishing the general framework of the data retention obligations in an act earlier this year, the Royal Decree now determines what information needs to be retained by each type of electronic communication provider and for how long.
LIBE Adopts Compromise Amendments; Sends Draft to Council (October 22, 2013)
Workers Using Workarounds Put Brands at Risk (October 22, 2013)
User behavior is a major and growing source of privacy risk. We can see the extent, drivers and types of user behavior causing noncompliance issues and risks in recent research, which found 52 percent of healthcare workers globally use risky workarounds that are out of compliance with policy, either every day or sometimes, and 66 percent find security protocols “burdensome.” This presents an opportunity—increasingly urgent—for privacy-enhancing technologies to enable workers to do their jobs efficiently without putting the brand at risk. David Houlding, CIPP/US, explores some of the tools available on the market today.
Ten Steps to a Quality Privacy Program, Part Four: Privacy Impact Assessments (October 21, 2013)
In part four of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, explores privacy impact assessments, which she calls key to privacy by design—or default. While there are foundational concepts that must be addressed, each organization may need to approach PIAs differently according to its size and needs.
When the Big Data Surge Crashes Against the Big Privacy Rocks: The Conflict Between the Commercial Value of Information and Increasing Privacy Regulation (October 21, 2013)
"Big Data" has already been credited with many accomplishments, but, as Baker & McKenzie's Brian Hengesbaugh, CIPP/US, and Amy de La Lama write, privacy regulations have a significant impact on Big Data. Hengesbaugh and de La Lama highlight privacy laws that specifically regulate the collection, use and disclosure of data about individuals and, thus, restrict information flows such as those associated with Big Data, and offer privacy solutions for Big Data initiatives.
Global Business? Find Privacy Allies Throughout the Company (October 21, 2013)
Finding the C-level executive who cares most is the first step in convincing the people at the top that privacy is important. With a CEO who is most likely juggling priorities constantly, it’s important to put privacy in context and bring home how a good—or bad—privacy program is going to affect the overall business. And sometimes, that requires help, Intel Chief Privacy and Security Counsel Ruby Zefo, CIPP/US, CIPM, explained during the IAPP’s recent Privacy Academy in Seattle, WA.
This Week in Breach Roundup (October 21, 2013)
A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said. That breach was just one of many discovered, investigated or arbitrated in the U.S. and abroad in the last week.
Book Review: A Guide to the Personal Information Protection and Electronic Documents Act 2013 (October 18, 2013)
Canadian data protection law is essentially a combination of the laws of the rest of the world. It has strict definitions of personally identifiable information (PII), as the EU does, but it has more opt-out than opt-in requirements, the way the U.S. does. A Guide to the Personal Information Protection and Electronic Documents Act 2013
by Colin H. H. McNairn is unique in providing vital information in an academic, scholarly format, as reviewed here by Janet Steinman, CIPP/US.
Acxiom, MasterCard CPOs Talk Transparency, De-identification, FTC Consent Orders (October 18, 2013)
What do you get when you put chief privacy officers (CPOs) from two of the world’s largest Big Data businesses in the same room with an outside privacy counsel and privacy academic? Based on just one of the many compelling panels at this year’s IAPP Privacy Academy, you get conversation as robust as some of Seattle’s finest blends.
The Privacy Questions Raised by Apple’s New Biometric Login (October 16, 2013)
In the wake of the news announcing the release of the new iPhone 5s, Lindsey Partridge, CIPP/US, examines what may be “the most newsworthy piece of the new mobile device”—its fingerprint sensor. The sensor allows for biometric securing of what’s becoming one the most personal devices people own. This report offers a primer on biometrics and the potential “privacy alarms” of the new sensor in multiple contexts, including legal cases involving access to PI and geolocation.
Debating the “Where” of Online Jurisdiction (October 11, 2013)
In two European cases making headlines this week, U.S. online powerhouses successfully claimed European data protection regulators lacked jurisdiction to regulate their activity. These cases join a long line of disputes pitting global online companies against national privacy regulators and raising to the fore the thorny questions of personal jurisdiction and applicable law on the Internet.
Cato Conference: We Have Problems, Is NSA Biggest One? (October 10, 2013)
On October 9, the Cato Institute, a public policy research organization, held a daylong conference on the recent U.S. National Security Agency (NSA) surveillance disclosures. Titled "NSA Surveillance: What We Know; What to Do About It," the conference was packed with privacy advocates and lawyers, journalists, technologists, academics and public policy and security experts. The day was also peppered with three keynotes from Sen. Ron Wyden (D-OR), Rep. Justin Amash (R-MI) and Rep. F. James Sensenbrenner (R-WI).
Roundup: October Shaping Up To Be the Month of Innumerable Breaches (October 10, 2013)
PII lost, stolen or compromised through human error. Cybersecurity concerns. Health data lost. Amidst this month’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach could be. “If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said. However, as The Wall Street Journal
reports, he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.”
Three Steps to Heaven, St. Rita and the Future of the EU Draft Regulation (October 3, 2013)
The EU draft regulation—something originally proposed nearly two years ago—was the center of attention Wednesday afternoon at one Privacy Academy breakout session featuring a panel that included Ireland Data Protection Commissioner Billy Hawkes, Bird & Bird Partner Ruth Boardman and Promontory Financial Services Group Managing Director Simon McDougall, CIPP/E. McDougall cited the song “Three Steps to Heaven,” telling attendees, “Well, the EU decided there are more than 30 steps to heaven … This is the process we are in to get the draft regulation, and ladies and gentlemen, we are currently on step one.”
Baker: The Grandfather of Privacy Was A Fogey (October 2, 2013)
Stewart Baker didn’t start out as a privacy skeptic. But after a career including gigs as the first assistant secretary for policy at the Department of Homeland Security and general counsel of the National Security Agency, he sort of wound up that way. This feature on his keynote address at the IAPP Privacy Academy highlights Baker’s description of the current patchwork of privacy laws in the U.S. as a result of what he’s coined the “privacy panic”—reactionary, moral panic-based lawmaking built on a small but powerful subgroup’s irrational fears of technological advances.
Amidst U.S. Gov’t Shutdown, State AGs Chuckle at Idea of Federal Breach Law (October 2, 2013)
Near the end of the literarily titled panel discussion “The Widening Gyre of State AGs” at the IAPP Privacy Academy, one brave soul asked what seemed like an obvious question: Would it make sense for there to be one all-encompassing federal data breach notification law rather than the 49 state laws that firms currently need to navigate? Given the current Congress, AGs on the panel expect there’s “no way” that will happen.