COVID-19
When are COVID-19 vaccination policies enforceable in unionized workplaces?
In two decisions released last week, Ontario labour arbitrators ruled upon the enforceability of workplace COVID-19 vaccination policies. In one decision the arbitrator upheld the employer’s policy as reasonable. In another, an employer’s vaccination policy was found to be unreasonable. These decisions provide a useful indication of how decision-makers are likely to approach the adjudication of workplace COVID-19 vaccination policies going forward. SEE ALSO: Extending Its Stay, the U.S. 5th Circuit Says OSHA’s Vaccine Mandate Is ‘Fatally Flawed’
Brussels platform can reveal employees’ vaccination status
Brussels vaccination platform Bruvax can allow employers to obtain individuals’ vaccination status with a national registry number and postal code. Once the information is entered, if an appointment option appears, the individual has not been vaccinated. Privacy rights organization Charta21 called on the Brussels Joint Community Commission to “immediately put an end to the data leak.” Health Inspectorate Inge Neven said a legal analysis is ongoing and necessary adjustments will be made.
Privacy concerns of finding a COVID-19 proof of vaccination app
Privacy experts are advising individuals looking for COVID-19 proof of vaccination applications to be wary. Without federal regulation on a COVID-19 vaccination registry or app, many third-party apps have cropped up for individual use, but experts warn some come at a privacy cost of personal data.
Identity / Biometrics
Ontario delays launch of digital ID program until 2022
The Ontario government has delayed the launch of its digital ID program until 2022. The project was set in motion in October 2020 and consultation began in January 2021 [press notice, backgrounder, Q&A, Action Plan & (PDF)] As reported by CTV News, the program was postponed because of the launch of Verify Ontario, the province’s proof-of-vaccination app. More details on the launch of the DI initiative, including timing and specifics, will be announced in 2022. See also: Ontario is developing a digital ID program for its citizens. The process needs more transparency, privacy experts say.
Adelaide passes motion to ban police use of facial recognition until further legislation
The Adelaide City Council passed an amendment to ban police use of facial recognition until South Australia laws are drawn up regarding the use of the technology. The amendment was tied to the city’s plans to replace its worn “City Safe CCTV network” system, and specifically prevents the police from using any facial recognition technology in the new CCTV delivery in 2023 until new legislation.
Integration of blockchain and biometrics to redefine digital identity by 2030: report
Behavioral biometrics, digital government, ecommerce, banking and airport security could see some of the biggest and most notable changes over the next decade as developments in artificial intelligence, blockchain technology and biometrics enable the creation of global solutions for digital ID, according to a report by Frost & Sullivan.
UK Government digital identity plans advance amid scepticism, lack of awareness
Britons do not feel well informed about common digital identity and biometrics, according to a recently published survey into opinions around the topic ahead of plans to establish a nation-wide ‘OneLogin.’ UK millennials meanwhile feel that the government and other businesses are not properly protecting personal data. Australia’s new bill for a Trusted Digital Identity System (TDIS) has sparked similar concerns over the possibility of identity theft and lack of data safeguards.
WEF cites stats showing how digital IDs can accelerate national economies
A new World Economic Forum white paper finds reason to believe that digital ID programs will be decisive in modernized financial services. In turn, those digitized services will play a growing role in a global economic recovery from the COVID pandemic. Three factors are cited as recovery accelerators.
First, digital ID will be the “catalyst” of a more fully digital future. Second, SMEs will be helped back to health thanks to digital identification programs. Third, there is evidence that digital services, including IDs and biometric systems have “transformed consumer habits and delivered tangible benefits” to Chinese citizens.
ICO questions tech companies on app age ratings
U.K. ICO is seeking to know how technology companies assess applications to determine age ratings. The ICO has written 40 organizations “to identify conformance” with the U.K.’s Age-Appropriate Design Code. ICOP interventions are focused “on operators of online services where there is information which indicates potential poor compliance with privacy requirements, and where there is a high risk of potential harm to children.”
Education / Youth
Senators seek to protect schools from cyberattacks
A group of U.S. senators wrote a letter to the Departments of Education and Homeland Security urging stronger action against cyberattacks on schools. “K-12 schools are increasingly coming under cyberattacks from a diverse set of actors, driven largely by the rapid rise of ransomware.”
Report assesses privacy policies of hundreds of education and consumer tech apps and services
Common Sense Media released a comprehensive report examining the privacy trends and practices of hundreds of popular technology companies and products over the last five years. The “2021 State of Kids’ Privacy“ report finds increased transparency around privacy policies that provide more information about the products that children and students are using. However, that same transparency also reveals the increase of problematic practices like tracking, profiling and the sale of personal data. Across the pool of companies and apps evaluated in the report, only 26% met the minimum safeguards for all users of a product, earning a “Pass” rating. The remaining 74% scored below the threshold, earning a “Warning” rating, which indicates that these products are putting kids’ privacy at risk.
Data Sciences
Department of Defense issues ‘responsible’ AI guidelines
The U.S. Department of Defense’s Defense Innovation Unit released “responsible artificial intelligence“ guidelines, required to be used by third-party developers building AI systems for the military. The guidelines cover planning, development and deployment, and include procedures for identifying users of the technology and those who could be harmed by it, as well as potential harms and how to avoid them.
AI in Canadian Healthcare – Bias and Discrimination (new paper)
In an article for the Canadian Journal of Law and Technology, Bradley Henderson, Colleen Flood and Teresa Scassa examine issues of algorithmic and data bias leading to discrimination in the healthcare context. The paper lays out the landscape and identifies areas where there are legal and regulatory gaps and a need for both law reform and regulatory innovation. The paper is part of the newly launched Machine MD project at uOttawa that will run for the next four years. The full pre-print text of the article can be found here.
Proposed Filter Bubble Transparency Act targets algorithms
U.S. House lawmakers introduced the Filter Bubble Transparency Act, a proposal that would require internet platforms to offer an algorithm-free version of their services. Companies with fewer than 500 employees, annual gross receipts lower than $50 million in the last three-year period, and those gathering data on less than 1 million users annually would be exempt. See also: A bill proposed in New York City would require a bias audit to be conducted before an employer uses an automated employment decision tool.
Danish DPA identifies projects for regulatory sandbox on artificial intelligence
Norway’s data protection authority selected three projects for its regulatory sandbox on artificial intelligence. One uses machine learning to identify hospital patients in danger of being readmitted, another tackles money laundering and terrorist financing, and the third explores the possibility of using machine learning to identify emails and associated documents to be archived. The projects “show the breadth of cases where some of the answer may lie in the analysis of personal data.” SEE ALSO: German Court asks CJEU to clarify whether calculating consumer credit scores falls within the scope of automated decision-making under GDPR
Law Enforcement
RCMP seeks AI use to learn encryption passwords
The RCMP is seeking to use artificial intelligence to obtain passwords easier during investigations. The RCMP wants AI that would process an individual’s passwords, web history and documents, and use that information to develop passwords for encrypted data. Experts caution that a strong decryption method used by police could be overreach of its intended access and be misused.
LAPD use of social media spy tech in 2019 raises concerns
The L.A. Police Department used a social media surveillance company with controversial abilities as a trial in 2019. Technology company Voyager Labs offers social media data surveillance and collection, including “friends” and connections, and pitched its artificial intelligence algorithm can determine a user’s ideological beliefs and likeliness to commit a future crime.
Online Privacy / Surveillance
Norwegian leaders urge ban on surveillance-based advertising
Norwegian Data Protection Commissioner, Consumer Council Director, and Amnesty International Norway General Secretary call for a ban on surveillance-based advertising. “It is unacceptable to violate fundamental human and consumer rights in an attempt at serving more relevant ads. The business model of the tech giants is incompatible with the right to privacy,” they said. “It entails major challenges to human and consumer rights.”
UK Supreme Court halts billion-dollar privacy class action against Google
The UK’s Supreme Court has denied a claim that sought billions of dollars in damages in a class-action lawsuit against Google over alleged illegal tracking of millions of iPhone users. SEE ALSO: Lloyd v Google – a return to first principles and Positive news for data controllers in the much-anticipated Lloyd v Google Supreme Court judgment and Lloyd v Google UK Supreme Court Class Action Judgment — End of the Road for Some, Open Door for Others.
Facebook to stop targeting ads based on race, sexual orientation, and politics
Facebook announced it will stop letting advertisers use certain targeting options related to “sensitive” characteristics such as race, religion, sexual orientation, health causes, and political beliefs. In their announcement, Facebook owner Meta said: Starting January 19, 2022 we will remove Detailed Targeting options that relate to topics people may perceive as sensitive, such as options referencing causes, organizations, or public figures that relate to health, race or ethnicity, political affiliation, religion, or sexual orientation. See also: Zuckerberg’s metaverse will invade workers’ privacy, whistleblower says
Mozilla identifies privacy strengths, weaknesses of connected gifts
Mozilla’s Privacy Not Included shopping guide identifies 47 connected gifts with “problematic privacy practices” and 22 products that protect user privacy. Mozilla researchers examined 151 popular connected gifts, determining whether they had cameras, location tracking features or other tools that collect user data. Lead researcher said smart exercise equipment “stood out as especially problematic,” adding, “We also found that consumers continue to shoulder way too much of the responsibility to protect their own privacy and security.”
UK Councils and police must ‘weigh CCTV firms’ human rights records’
UK Councils and police should consider CCTV firms’ human rights records before purchasing, the surveillance camera watchdog has said. An update to the Surveillance Camera Code of Practice is expected soon – the first update in eight years. It will set out the rules which police and local authorities are expected to follow when using surveillance cameras.
Privacy issues hinder potential central bank digital currencies
Potential central bank digital currency schemes have privacy pitfalls. Chief among the concerns are how to preserve user privacy when these currencies call for user identification and transaction tracking. SEE ALSO: New anti-money laundering guidelines issued for the crypto space and FATF Issues Updated Virtual Asset Guidance.
Bitcoin update improves transaction privacy, security
An update to Bitcoin’s network improves privacy and security for complicated transactions. The “Taproot” code upgrade, the first to Bitcoin’s network code since 2017, adds signatures that make transactions look like any other, preventing attackers from recognizing an unusual transfer.
FPF, IBM report explores mitigating privacy risks of brain-computer interfaces
A Future of Privacy Forum and IBM Policy Lab report includes a recommended framework for mitigating privacy risks associated with brain-computer interface technologies. The report, “Privacy and the Connected Mind,” details ways to implement the technology while protecting users’ privacy rights.
Mobile / Location Privacy
Facebook’s Use of Alternate Location Tracking Methods to Circumvent Apple Privacy Protections Expands to Accelerometer Data
In a move that appears to primarily be aimed at iPhone users that have opted out of device tracking, Facebook is now using device accelerometer data as an alternate means of pinpointing locations and following app users about their day. This happens even if users both opt out of targeted advertising and disable location tracking within the Facebook app.
Apple will soon let you pass on your iCloud data when you die
Apple’s new Digital Legacy program, arriving in iOS 15.2, allows users to designate up to five people as Legacy Contacts. These individuals can then access your data and personal information stored in iCloud when you die, such as photos, documents, and even purchases. To activate Digital Legacy, Apple still requires proof of death and an access key. Both Google and Facebook have systems in place for designating account access to other people.
Cybersecurity / Breaches
Consultation on new OSFI Guideline on technology and cyber risk management
The Office of the Superintendent of Financial Institutions launched a three-month public consultation on a new Draft Guideline B‑13: Technology and Cyber Risk Management (Draft Guideline). The Draft Guideline will apply to all federally regulated financial institutions (FRFIs), including banks, insurers, and trust and loan companies. The publication follows OSFI’s consultation on technology risks in the financial sector that was launched in September 2020. OSFI issued a summary of the feedback received from this earlier consultation in May 2021, which is also addressed in the Draft Guideline and related OSFIletter.
CISA publishes cybersecurity incident, vulnerability response playbooks
The U.S. Cybersecurity Infrastructure and Security Agency launched two playbooks for federal civilian agencies to use in planning and conducting cybersecurity vulnerability and incident response [press notice, activity report & PDF] . The playbooks provide agencies with “a standard set of procedures to identify, coordinate, remediate, recover, and track successful mitigations from incidents and vulnerabilities affecting [federal civilian] systems, data, and networks.” See also: CISA Issues New Cybersecurity Directive for Federal Agencies.
Hacker accesses FBI email service, sends phony emails
A hacker accessed the FBI’s Law Enforcement Enterprise Portal through a temporary software misconfiguration and sent phony emails purporting to be from the agency and the Department of Homeland Security. The fake emails contained message headers from the FBI’s infrastructure. The agency said no data or personally identifiable information was accessed and the vulnerability was “quickly remediated.” Hoax Email Blast Abused Poor Coding in FBI Website
U.S. Government takes increasingly aggressive actions targeting ransomware
On November 8, 2021, the U.S. Department of Justice, U.S. Department of the Treasury, and the U.S. Department of State made several significant announcements regarding recent U.S. government actions targeting the ransomware ecosystem. The announcements are the latest signal that the federal government is taking increasingly aggressive actions to combat the threat of ransomware, which the U.S. government views as a national security threat. See also: “Whole of Government” Anti-Ransomware Campaign on Full Display and FTC recommends steps to protect against ransomware
Sophos 2022 Threat Report Identifies malware, mobile, machine learning and more
Following Cybersecurity Awareness Month, Sophos has released its latest Sophos Threat Report [news release | video summary] Five key topics covered include: 1. Malware, 2. Mobile, 3. Machine Learning and AI, 4 Ransomware, and 5 Where next? (Threat Landscape). SEE ALSO: Companies Still Struggling with Implementing Ransomware Backup Plans
Workplace Monitoring
New York State Requires Private Employers to Notify Employees of Electronic Monitoring
On November 8, 2021, New York Governor Kathy Hochul signed into law A.430 [and companion Senate bill S.2628], which requires private employers with a place of business in New York State to provide their employees prior written notice, upon hiring, of any electronic monitoring, as defined in the Act, to which the employees will be subjected by the employer. SEE ALSO: NY Enacts Employee Monitoring Notification Law
UK Workplace surveillance booming during pandemic, destroying trust in employers
An explosion in workplace monitoring during the pandemic – in part supported by common software tools from global vendors – threatens to erode trust in employers and employees’ commitment to work, according to a European Commission research paper. SEE ALSO: Zuckerberg’s metaverse will invade workers’ privacy, whistleblower says
Health Privacy
College of Physicians and Surgeons of Ontario invites comments on draft virtual care policy
The College of Physicians and Surgeons of Ontario is asking for feedback by Nov. 22 on the new draft virtual care policy and the draft advice to the profession document, the policy’s companion resource. The new virtual care policy acknowledges the shift toward remote connectivity and platforms that allow patients to access healthcare without ever entering a clinic. The COVID-19 pandemic has sped up the adoption of virtual care.
Medical Device Incident Response Playbook
A new publication from the Cloud Security Alliance IoT Working Group aims to help healthcare organizations mitigate security risks. The document provides guidance not only for incident response, but also for incident response preparation.
Events
Integrating compliance and risk management through NIST’s Privacy Framework
The U.S. National Institute of Standards and Technology will hold a Dec. 1 webinar to help organizations use regulatory crosswalks in implementing its Privacy Framework. Discussion will include creating a foundational privacy program that can be tailored to various jurisdictions, bridging the gap between compliance requirements and design, and going beyond compliance with a forward-thinking risk management approach.
Privacy News Highlights 