Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
A Record Night of Privacy After Hours Gatherings (January 31, 2014)
Privacy pros know that when they gather on IAPP Privacy After Hours nights they are part of something big. This Tuesday night, however, was bigger than ever. More than 500 people that work with data—from all levels of experience, every sector and industry—gathered around the world in more than 30 locations.
What Will the New CPO at NSA Do, Anyway? (January 30, 2014)
How will NSA Civil Liberties and Privacy Officer Rebecca Richards, CIPP/US, CIPP/G, do things? While she asked for some time to get up to speed before speaking with The Privacy Advisor
, it’s possible to get some indications of the shape of the job, and what Richards will do with it, by looking at how the position has been framed and how Richards has served in the privacy office at DHS.
What’s Bruce Schneier Doing at Co3? (January 28, 2014)
Why would an internationally known thinker on security issues leave a gig as chief security technology officer at a large telecom to serve as CTO of a much smaller software company? That was a question some observers might have been pondering when incident response software maker Co3 announced earlier this month that Bruce Schneier was joining the company. In this feature, Schneier answers that question and shares his thoughts on how Co3 can help the security and privacy communities.
The Big News from IAPP Data Protection Congress (January 28, 2014)
The IAPP’s recent Data Protection Congress in Brussels proved to be full of robust discussions and even disagreements on the future of everything from Safe Harbor to notice-and-consent to NSA spying. In this roundup, we summarize the most stimulating conversations and presentations, including a showdown between former U.S. National Security Agency (NSA) General Counsel Stewart Baker, anonymous Internet platform Tor’s Jacob Appelbaum, Vodafone CPO Stephen Deadman and Ralf Bendrath, policy advisor to German MEP and Data Protection Regulation Rapporteur Jan Philip Albrecht.
State Attorneys General as U.S. Privacy Regulators—Q & A with Maryland AG Doug Gansler (January 28, 2014)
In this Q &A, Divonne Smoyer, CIPP/US, shares insights from Maryland AG Doug Gansler, who has been at the forefront of privacy protection efforts by state attorneys general. In 2013, as president of the National Association of Attorneys General, Gansler’s focus was “Privacy in the Digital Age.” He tells Smoyer, “State attorneys general have long been champions of consumers’ privacy in the physical marketplace, where breaches of privacy are more easily contained,” explaining, “if a company improperly disposes of a file with sensitive personal information a consumer shared, it may only be seen by a few people. In the Digital Age, however, the risks of sharing sensitive personal information are far greater.”
How Baidu Wraps Privacy Into New Products (January 28, 2014)
The world’s second-largest search engine, China-based Baidu, is continuing to look at expansion into emerging markets. Whenever it approaches a new market, Global Marketing Director Richard Lee explains, dedication to privacy is part of the company’s communications. He tells Publications Director Sam Pfeifle, “China is actually doing a great deal to keep in line with modern times. … I agree that maybe we at Baidu need to do more to prove that we respect privacy than some Western companies, but we don’t lack those kinds of concepts here in China. We want to keep in line with international standards.”
UK—ICO Releases App Guidance (January 28, 2014)
The Information Commissioner’s Office has released guidance to help app developers comply with their obligations under the UK Data Protection Act.
Data-Centric Security: Reducing Risk at the Endpoints of the Organization (January 28, 2014)
In this time of increased attacks on IT networks, the king’s men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and reevaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization. Jim Wyne, CIPP/US, looks at data-centric security to mitigate risk and “ensure the most important asset of the business, the data, is protected.”
Plaintiffs Alleging Only "Future Harm" Following a Data Breach Continue to Face a High Bar (January 28, 2014)
While courts have mostly found that an increased risk of harm such as potential identity theft is insufficient to confer standing or establish damages, the law in this area remains unsettled. The Supreme Court’s ruling in Clapper
may make it more difficult for such cases to proceed. Until this issue is settled, there will likely be forum shopping and forum selection clauses in contracts to help potential litigants prosecute or defend such cases. Dana Post of Freshfields Bruckhaus Deringer takes a closer look.
New Law Could Require ‘Incident’ Reporting, Whether Data Is Compromised or Not (January 28, 2014)
In February last year, the European Commission put forward its cybersecurity strategy, the main cornerstone of which is a Network and Information Security (NIS) Directive. The proposed Data Protection Regulation, currently being examined by the European Parliament, only covers security incidents where personal data is compromised. Therefore cyber attacks that do not target data would not need to be reported. The NIS Directive would change that.
How To Change Employees’ Poor Password Habits (January 28, 2014)
Password reuse across multiple websites and company logins is a major weak link in a company’s security system. In a survey CSID conducted in 2012 on password habits, it was found that 61 percent of the respondents reused the same password for multiple sites, and 44 percent of respondents reported they change their passwords once a year or less. Employee password reuse creates a new layer of risk for businesses, especially when major enterprises are hacked. A breach today can affect more than just the initial company—it can affect your business and many others.
2014 Best Predictions for Privacy—and Security (January 28, 2014)
Each year about this time, Brian Dean, CIPP/US, pulls out his “foggy crystal ball” to predict the future of privacy and security in the year ahead. “For data privacy and security professionals,” he predicts, 2014 offers reasons for “optimism, but with looming midterm elections and recent significant data breaches, only subtle privacy improvements are likely.”
Book Review: The Future of Privacy (January 28, 2014)
Being a strong believer in taking a pragmatic approach to compliance, K Royal was pleased to read The Future of Privacy
by Eduardo Ustaran, CIPP/E, published by DataGuidance. In general, she finds the book, available through the IAPP, to be thorough, on point and useful to privacy professionals. “This book went the further step and was actually fun to read and useful to those of the general public who have an interest in privacy,” she writes.
Ten Steps to a Quality Privacy Program, Part Six: Test Your Incident Response Program (January 28, 2014)
In part six of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, looks at testing incident response programs. This should involve key stakeholders from various departments. The process should happen twice a year and should involve a number of action items. “You do not want to find yourself in the middle of an incident and realize that you do not have what is needed to respond efficiently and effectively,” Rodriguez writes.
The All-New IAPP Mobile App Privacy Tool (January 28, 2014)
With nearly unlimited niches to fill and a global audience within reach, the mobile app universe can be richly rewarding—but it can also present privacy pitfalls for those who leap before they look. Regulators globally have begun to turn a watchful eye toward the privacy and security practices of mobile apps.
IAPP Asia Privacy Forum Heads to Hong Kong, Singapore this Spring (January 28, 2014)
Every indication from the headlines that flooded inboxes and newsstands in the final days of 2013 and the first weeks of 2014 is that privacy will continue to be big news this year in every region of the globe. To continue to meet the needs of privacy pros—those who work for international firms, those who live in specific regions and those who are concerned with the privacy implications of living in an age where data privacy knows no borders—the IAPP is launching the IAPP Asia Privacy Forum, coming to Hong Kong and Singapore at the end of March and early April.
Will the FTC’s Recent Safe Harbor Settlements Quench Europe’s Thirst for Increased Enforcement? (January 27, 2014)
The Federal Trade Commission (FTC) has settled with 12 U.S. companies over charges they let their Safe Harbor certifications lapse but still indicated they were certified. Was the move a response to recent criticism from the EU? The FTC said it’s business as usual. But does it at least indicate more enforcement to follow? Associate Editor Angelique Carson, CIPP/US, examines the implications of the FTC’s actions with insights from experts in the EU and U.S.
A New Handy Guide to Global DPAs (January 24, 2014)
DLA Piper has attacked the problem of surveying the world’s data protection laws and regulations with a handy online and interactive guidebook for which they’ve released version 2.0 just in time for Data Privacy Day. Find out where it lives and how it was developed in this feature from Publications Director Sam Pfeifle.
With Rodriguez Tapped for DHS, Who’ll Call the Shots at OCR? (January 23, 2014)
News that U.S. President Barack Obama has nominated Department of Health and Human Services Office for Civil Rights (OCR) Director Leon Rodriguez to direct U.S. Citizenship and Immigration Services has spiked the heart rates of some in the healthcare industry. The shift would leave the OCR director post vacant for the foreseeable future—and at an historic juncture.
EU’s Reding Urging Reform to Move Forward; LIBE Committee Draft NSA Report Leaked (January 8, 2014)
EU Justice Commissioner Viviane Reding has said the proposed EU General Data Protection Regulation (GDPR) must “move full speed ahead,” Bloomberg reports. The clock is ticking on the GDPR with European Parliament elections coming this May. “We have lost too much time already,” Reding said in a prepared statement for a speech in Brussels. Not everyone agrees, however, that the GDPR will move forward. In discussing the two main privacy surprises of 2013, Google Global Privacy Counsel Peter Fleischer wrote on his personal blog, “the old draft is dead…” Meanwhile, after months of inquiry, the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee draft report on U.S. National Security Agency surveillance has been leaked. This report for The Privacy Advisor
looks at these developing stories and includes commentary from Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E.
CES Buzzes With Privacy News (January 7, 2014)
With more than 150,000 attendees descending on Las Vegas, NV, the Consumer Electronics Show is the largest event of its kind in the world and is often the venue where electronics manufacturers make their big product unveilings. This year, privacy has more prominence at the event than ever before. In this feature, Publications Director Sam Pfeifle wraps up the big privacy news, from the latest in wearables to biometrics to smart cars and TVs.
ICYMI: Target Fallout Continues; More Breaches Reported (January 2, 2014)
Following the breach at Target affecting approximately 40 million consumers, Sens. Robert Menendez (D-NJ), Mark Warner (D-VA) and Charles Schumer (D-NY) have called for a Senate Banking Committee hearing to examine whether stronger industry-wide standards are needed and if all necessary actions are being taken to safeguard consumer data against fraud and identity theft. Missouri’s attorney general and a New York assemblyman are also looking into the breach, and a number of consumers have filed lawsuits. Meanwhile, a number of breaches spanning the globe affected healthcare providers, bankers and casino frequenters, among others that include private-texting provider Snapchat, which lost 4.6 million usernames and phone numbers. This roundup catches you up on what you may have missed over the holidays.
Privacy Thoughts for 2014 (January 2, 2014)
Privacy—the word itself and the concept—got plenty of attention in the media’s end-of-year wrap-ups. Not surprisingly, it got a bit of attention in looks forward to 2014 as well. In this roundup, Publications Director Sam Pfeifle looks at what those opining about the future had to say in the final days of 2013 and at the start of the New Year.
Commercial UAV Use in U.S. Takes Next Step Forward (January 2, 2014)
While the use of unmanned aerial vehicles (UAVs) is regulated in various ways across the globe, the Federal Aviation Administration (FAA) still tightly controls their use in the United States. In this roundup, Publications Director Sam Pfeifle reviews some of the top headlines on the use of UAVs from the holiday season.
Federal Courts at Loggerheads in NSA Surveillance Cases; Snowden Disclosures to Continue in 2014 (January 2, 2014)
The tail end of 2013 brought with it continued news and reaction to the disclosures of the U.S. National Security Agency’s (NSA) surveillance programs by former contractor Edward Snowden. Perhaps most significantly, a U.S. federal judge on Friday December 27 ruled the NSA’s bulk collection of metadata on phone calls was legal. The ruling came less than two weeks after another federal judge came to virtually the opposite conclusion. In this roundup, we gather together the major developments and opinion stemming from Snowden’s disclosures and what may lay ahead in for the NSA in 2014.