01-15 December 2013

Biometrics

US – NTIA Announces Facial Recognition Meeting Schedule

An announcement in the Federal Register details the National Telecommunications and Information Administration (NTIA) series of eight meetings related to the “Consumer Data Privacy Code of Conduct” on facial recognition technology first reported last week . The meetings will be held in Washington, DC, and will be open to the public. The report includes the dates of the eight meetings, beginning with one on February 6 aimed at beginning a “factual, stakeholder-driven dialogue regarding the technical capabilities and commercial uses of facial recognition technology.” The NTIA plans to circulate a draft for public comment following the last meeting on June 24. [Government Security News]

US – Next NTIA Project to Focus on Facial Recognition

The National Telecommunications and Information Administration (NTIA) announced it is launching a new multi-stakeholder process that will focus on the commercial use of facial recognition technology. While the technology has potential for innovative use that could improve services for consumers, writes Department of Commerce Assistant Secretary for Communications Lawrence Strickling, “the technology poses distinct privacy challenges. Digital images are increasingly available, and the importance of securing faceprints and ensuring consumers’ appropriate control over their data is clear.” The NTIA, which most recently used the multi-stakeholder process to release a code of conduct to improve privacy notices on mobile devices, will convene the first meeting to explore privacy safeguards for facial recognition technology on February 6 at 1 p.m. The public and all stakeholders are invited, and the meeting will be webcast. [NTIA]

Canada

CA – Denham Calls for Amendment to Law; Ring Voices Concerns

Citing concerns that public entities are not doing enough to raise awareness of possible health, safety and environmental concerns, BC Information and Privacy Commissioner Elizabeth Denham is recommending the government amend the Freedom of Information and Protection of Privacy Act. In a report released this week, Denham raises concerns that public bodies are not aware of or trained in their duty to inform residents of potential dangers. Separately, the CEO of a health research firm is cautioning that privacy concerns in BC limit researcher access to data for healthcare innovations. And in Newfoundland and Labrador, Information and Privacy Commissioner Ed Ring is concerned the province’s premier’s office “improperly withheld” documents related to search and rescue efforts. [Times Colonist]

CA – Report: Supreme Court Ruling Suggests All Data Is Not Equal

In a complex ruling, the Supreme Court of Canada has found that data stored on a hard drive “is not equal to the same material stored in a filing cabinet.” The case, which involved a man’s conviction for growing marijuana, is what the Canadian Bar Association’s called “a marker (in the ground) for digital privacy law in Canada,” the report states, noting the man’s lawyer “succeeded in convincing the justices that computers are ‘stand-alone places’ that require specific search warrants.” [SC Magazine]

CA – Bertrand Denies Support of Data-Sharing Bill

New Brunswick Privacy Commissioner Anne Bertrand has said she did not give the government input or support for a proposed government data sharing bill. Earlier in the week, the education minister said Bertrand had supported Bill 23—a bill that would make it easier for government agencies to share personal information. In a letter to Speaker Dale Graham, Bertrand wrote, “With respect, I was surprised to hear the minister’s comments to this effect, as her comments do not accurately reflect the nature of the discussions that took place between our office and department officials on this matter.” [CBC News]

Consumer

WW – World’s Leading Writers Demand “Digital Bill of Rights”

More than 500 of the world’s top writers have banded together to condemn the scale of government surveillance around the globe. The signatories, including five Nobel Prize winners and authors from 81 different nations, are urging the United Nations to create an international, digital bill of rights. The move comes just a day after eight of the globe’s largest tech companies called for limits to state surveillance. The recent revelations about the extent to which governments spy on individuals has undermined the human right to “remain unobserved and unmolested … This human right has been rendered null and void through abuse of technological developments by states and corporations for mass surveillance purposes,” the statement says. “A person under surveillance is no longer free; a society under surveillance is no longer a democracy,” it adds. [The Guardian]

US – Study: Smartphone Users Will Pay More for Privacy

A study by University of Colorado Profs. Donald Waldman and Scott Savage has found “average smartphone users are willing to pay a few dollars for mobile apps that maintain privacy.” The team surveyed 1,726 people from seven U.S. cities, finding “consumers are willing to pay $4.05 to conceal contact lists, $3.58 to conceal the contents of text messages, $2.28 to shield browser history, $1.75 to block the phone’s ID number and $1.19 to conceal personal locations,” the report states. “We wanted to put a number out there,” Savage said. “Instead of saying what you feel or anecdotally thinking privacy is important, let’s put a number on it. Then people can have a real discussion.” [Daily Camera]

WW – Customized Airline Deals Raise Privacy Concerns

Industry reports that airlines are looking to roll out customized airfare packages for consumers based on collected data that could include income, home location and travel patterns. They are raising privacy concerns among some consumer advocates and have received the attention of the U.S. Department of Transportation (DoT). A spokeswoman for Airlines for America said, “We expect to see more airlines adopt this trend in commerce as they continue to offer passengers a more personalized travel experience.” However, Consumer Travel Alliance’s Charles Leocha said, “It will be the death of comparison shopping.” The DoT is scheduled to meet on Monday to discuss airfare pricing and could recommend federal legislation requiring airlines to disclose what data they’ve collected on travelers, the report states. [L.A. Times]

US – Many Stores Tracking Shoppers This Holiday Season

U.S. retailers are putting small tracking devices to work monitoring shoppers and their cellphones, to “tally how long people wait in line and where they shop.” The Future of Privacy Forum (FPF) has estimated “about 1,000 retailers, from tiny boutiques to Macy’s Inc., have outfitted their aisles with sensors to monitor shoppers’ paths,” the report states. While FPF has asked retailers to notify shoppers they are using such technology—and eight makers of tracking devices asked their clients to post such disclosures, the report notes, “the idea went nowhere with retailers.” Other retailers, meanwhile, have cited privacy concerns as their reason for holding off on using tracking technology, and some customers have complained about such practices as stores using WiFi signals to track customers through their cellphones. [The Wall Street Journal]

UK – Just 9% of Customers Have Faith Brands Will Secure Their Data

Japanese IT firm Fujitsu has released findings of a survey of 3,000 UK consumers that found just nine percent “have any faith in organizations to protect their data.” Further, 20% said they would inform police of a data loss, considering it a criminal offense, and 63% said they do not want companies to use their data to improve their experience with the company. “The results of our research showed consumer tolerance for data loss is at an all-time low,” said Fujitsu, Chief Security Officer, UK & Ireland David Robinson. Research was conducted by OnePoll, an independent research consultancy based in London. The consumers in the UK completed an online survey in October. [Fujitsu]

WW – Getting to Simpler, More Consumer-Friendly Privacy Policies

Prior to stepping down from the FTC, David Vladeck “frequently railed against the current generation of consumer-facing privacy policies” as it becomes clear that consumers just don’t read or understand them. And there is data to back him up, notes GMAC Chief Privacy Official Allen Brandt. This Privacy Perspectives post looks into several examples of creative ways companies are conveying their privacy policies to consumers, including how GMAC recently converted its entire consumer-facing privacy policy into a series of one-minute videos. [Full Story]

E-Government

EU – France Gets Criticism for New Surveillance Law

France passed a law expanding government surveillance activities and the country is getting heavily criticized by privacy advocates for the move. The new law “essentially means that the police, intelligence and anti-terrorist agencies can now spy on Internet users in real-time, across computers, tablets and smartphones.” Previously, these entities needed approval from a National Commission for the Control of Security Intercepts judge before conducting these activities. One privacy expert voiced his disappointment with the CNIL, the French DPA, and noted that the new law “shows (that) the EU governments still have few qualms about mass surveillance of their own populations, even as they protest about NSA.” [SC Magazine]

Encryption

WW – Microsoft Beefing Up Encryption Following Gov’t Spying Revelations

A Microsoft blog announces the company is “taking steps to ensure governments use legal process rather than technological brute force to access customer data.” The company says allegations that some governments circumvent online security measures to collect private customer data put such governments alongside such threats as sophisticated malware and cyber attacks. As such, Microsoft plans to encrypt all services, reinforce legal protections for customers and expand the transparency of its software code. Microsoft General Counsel Bradford Smith said revelations the government might be hacking into corporate data centers “was a bit like an earthquake, sending shock waves across the tech sector.” [PC World]

EU Developments

EU – One-Stop-Shop Principle Delays Progress on Regulation

The proposed EU Data Protection Regulation suffered a setback when data protection authorities tried to reach agreement, indicating the update to current law will likely not occur until after European Parliament elections next year. An EU diplomat said the delay is due to concerns by Germany’s data protection authority that the one-stop-shop principle would enact weaker rules than the country currently has in place. “Harmonization, yes, but not at any price,” said a spokesman for Germany’s secretary of state in the federal ministry of the interior. Meanwhile, the head of the legal service for the European Council said the one-stop-shop rule would undermine human rights. [EU Observer] see also: [The EU and APEC: A Roadmap for Global Interoperability?]

EU – DPAs Say They Aren’t Ready for Regulation

While European data protection authorities say they aren’t ready for the proposed data protection regulation, multinationals such as Facebook and Google are tasked with untangling 28 different legal frameworks in the EU in order to address the issue. Irish Data Protection Commissioner Billy Hawkes says , under the proposed regulation, he would no longer be able to take complaints from Irish citizens about companies that are headquartered in other member states. Instead, Hawkes would be responsible for regulating the multinationals headquartered in Ireland, and therefore would be required to respond to the complaint of any EU citizen. Meanwhile, European Commission Vice President Viviane Reding has expressed frustration with the head of the EU Council’s legal service after he issued an opinion on the proposed rules. [PCWorld] See also: [Draft EU Data Protection Package: A History and Look to the Finish Line]

EU – Member States Need More Time with Regulation Proposal

The EU’s data protection overhaul faces months of delays after some member states have demanded more time to sign off on a law that would fine companies as much as 100 million euros for privacy violations. An anonymous EU official said the measures are unlikely to pass before European Parliament elections in May, noting the measure is “too complicated and sensitive” for member states to reach a deal this week. “If there’s not the necessary political will, the whole regulation is at risk,” said MEP Jan Philipp Albrecht. [Bloomberg]

EU – EU, U.S. Officials Indicate Potential Privacy Agreement at DPC

The keynote stage at the IAPP Data Protection Congress in Brussels became a diplomatic back-and -forth this morning as Constantijn van Oranje-Nassau, Head of Cabinet of Vice-President of the European Commission, Commissioner for the Digital Agenda Neelie Kroes, first delivered the European Commission’s view of data protection and then was followed by an address from U.S. Federal Trade Commissioner Julie Brill. Both emphasized the need to encourage innovation while protecting privacy and addressed whistleblower Edward Snowden’s revelations about the activities of U.S. National Security Agency and other intelligence agencies. Reading between the lines, writes Publications Director Sam Pfeifle in this report from the event for The Privacy Advisor, there were reasons to be encouraged that Safe Harbor and the free flow of data between continents will continue. [Privacy Advisor]

EU – Top Six Inadequacies Found During Privacy Audits

Would you be able to guess the top six failure points found in the last 20 privacy audits conducted by London’s Osborne Clarke? At the IAPP Europe Data Protection Congress, that is exactly what attendees were tasked with doing in a Family Feud/Family Fortunes-style challenge of determining just what the “Survey says.” In this exclusive for The Privacy Advisor, Publications Director Sam Pfeifle details the top failure points highlighted during the “Audit Programmes” session. Some of the results were not what attendees were expecting—with such factors as “excessive access to data” and “inadequate data breach plans” not making the top-six list. [Privacy Advisor] See also: [Ten Steps to a Quality Privacy Program, Part Five: Building an Audit Plan]

EU – Pan-Euro Law Likely Means ICO Restructuring

Pending new pan-Europe legislation will decrease revenues for the UK Information Commissioner’s Office (ICO), meaning that it will likely change the way it handles casework and enquiries. An ICO spokesperson says this will allow the office to “identify and address wider compliance issues, and only where appropriate, to address individual concerns.” A consultation document titled “Looking Ahead, Staying Ahead: Towards a 2020 Vision for Information Rights” outlines the planned changes to the regime, including coordinating more with other organisations and regulators, the report states. The consultation is open for comment through 7 February. [SC Magazine]

EU – Dutch DPA Says Google Policy Violates Law

Dutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent.” Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.” [Bloomberg]

EU – New Dutch Fining Powers Expected in 2015

Dutch Data Protection Authority Chairman Jacob Kohnstamm told the audience of the National Data Protection and Privacy Conference in Rotterdam on December 4 that his office will get the power to fine organizations in both the public- and the private-sector for violations of the Dutch Personal Data Protection Act. Jeroen Terstegge examines what to expect as the Council of State advises on the new fining powers likely to come into force only on January 1, 2015. [The Privacy Advisor]

EU—Royal Decree Transposes Directive into Belgian Law

The Belgian government recently issued a royal decree that lays down broad data retention obligations for telecom, Internet access and webmail providers. The Royal Decree transposes the EU Data Retention Directive into Belgian law. [Details]

EU — New Danish Whistleblowing Legislation Takes Effect

As of 1 January 2014, new Danish legislation concerning whistleblowing will take effect. According to the new legislation, all Danish companies in the financial sector must have a whistleblower scheme that enables employees and board members anonymously to report any breach of the financial regulation.  [Details]

EU — Customer Care Outside the EU, New Rules Coming from the Italian DPA

Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, provides its general rules to protect the privacy of Italian citizens. [Details]

EU—Datagate: Garante and DIS Enter Joint Agreement

The Garante and DIS have entered into a cooperation protocol. “This is an extraordinary agreement entered into by very key sensitive functions of the Italian State and a great signal of transparency for the world in reply to all worrying news on Datagate we daily read on newspapers or on the Internet,” writes Panetta & Associati Managing Partner Rocco Panetta. [Details]

UK—Tribunal Overturns ICO’s £300,000 Spam Texts Fine

The General Regulatory Chamber, which allows rights of appeal against decisions of the UK Information Commissioner’s Office (ICO), has overturned an earlier £300,000 fine for the sending of unwanted text messages.  [Details]

UK—Ministry of Justice Fined £140,000 for E-mailing Prisoner Details to Inmates’ Families

The Information Commissioner’s Office (ICO) has served the Ministry of Justice (MoJ) with a £140,000 monetary penalty after the details of all prisoners serving at HMP Cardiff were e-mailed to three of the inmates’ families. [Details]

UK—ICO to Update Privacy Policy Guidance

The Information Commissioner’s Office (ICO) has announced that it will be updating its privacy policy guidance to reflect changes in privacy practices and technology. [Details]

UK—ICO Issues Code on Practice of Anonymisation

Anonymisation is of particular relevance at the moment, given the increased amount of information being made publicly available through Open Data initiatives and through individuals posting their own personal data online. Furthermore, the concept of anonymisation is fundamental for organizations that intend to take advantage of the possibilities offered by Big Data analytics without putting at risk the privacy of the data subjects. [Details]

Facts & Stats

WW – Data-Mining Software Biz Expects To Raise $100M

The New York Times reports on a data-mining software company that, on Thursday, was expected to file a notice that it has raised $100 million, putting a $9 billion valuation on the company. Palantir Technologies, which started as a CIA-funded data-mining company, just three months ago raised $196 million on a $6 billion valuation. Its initial customer base had been U.S. defense and intelligence contractors, but it now generates 60 percent of its revenue from commercial sources. The money raised is expected to be used in corporate expansion. Palantir currently employs 1,200 individuals in the U.S., Australia, Britain and Singapore. The Privacy Advisor recently reported on the growth of Big Data privacy jobs. [Source] [What Makes a Good Privacy Pro?] [Social Media Guru Deletes Facebook Account, Citing Need to “Take a Stand”]

Finance

US – The Impact of New Payment Card Industry Standards on Business

Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS) has been released by the PCI Security Standards Council. The security requirements are intended to strengthen the security of cardholder data and encourage the adoption of uniform data security standards within the payment card industry. PCI-DSS applies to all entities that are involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers as well as entities that store, process and transmit cardholder data. [The Privacy Advisor]

US – Social Media Guidance for Financial Institutions

After taking into account comments received during the first few months of this year, the Federal Financial Institutions Examination Council (FFIEC) has issued its final guidance “to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with the use of social media.” FFIEC says that financial institutions should have risk management programs including policies and procedures to “identify, measure, monitor and control” the use of social media and risks related to it. The guidance also recommends institutions provide guidance and training for employees as well as oversight, audit and compliance functions. [Read Guidance]

CN – Measures Clarify Rules for Chinese Credit Reference Agencies

The People’s Bank of China put out Administrative Measures for Credit Reference Agencies to supplement the Administrative Regulations on the Credit Information Collection Sector. Hunton & Williams’ Privacy and Information Security Law Blog reports that the measures provide more detail to the regulations, which “established a series of rules for the collection, use, processing, disclosure and transfer of personal information by credit reference agencies.” The measures require agencies that handle personal information to gain pre-approval for licensing before they incorporate the data and state that all credit reference agencies may experience “enhanced surveillance” in certain circumstances, including if the agency is involved in a data breach incident or has failed to comply with reporting obligations, among others. The measures take effect on December 20.

Genetics

US – GINA: Complying With this Camouflaged Privacy Law

The Genetic Information Non-Discrimination Act of 2008 (GINA) regulates employers’ collection, use, safeguarding and disclosure of “genetic information,” making it a privacy statute, writes Philip Gordon — and one with which it is becoming increasingly difficult to comply. Social media posts celebrating a family member’s cancer remission or a son’s trip to the ER for asthma contain “genetic information” in the eyes of GINA, Gordon writes, adding, “Recent (Equal Employment Opportunity Commission) enforcement actions and private class-action filings as well as the increasing prevalence of personal social media in the workplace highlight the need for organizations to address, or revisit, their compliance with GINA.” Find out more about the EEOC’s implementing regulations and how to mitigate risk in your organization.  [Privacy Tracker]

US – Court to Hear California DNA Law Arguments

A panel of 11 Ninth Circuit Court of Appeals judges will hear oral arguments today in a case questioning the constitutionality of California’s DNA collection law. The law requires police to collect samples from every person arrested, the report states, noting the Ninth Circuit required attorneys on both sides of the California case to revise their arguments after the U.S. Supreme Court ruled 5-4 to uphold Maryland’s narrower DNA collection law. While “California Attorney General Kamala Harris and the Obama administration are both urging the court to uphold California’s law as a constitutional and powerful law enforcement tool,” the ACLU argues it is not constitutional because not all those arrested are charged with crimes. [The Associated Press]

Google

WW – EFF Criticises Google for Removing Android 4.4.2 ‘Vital Privacy Feature’

The Electronic Frontier Foundation (EFF) has criticized Google’s removal of a privacy feature in a new Android 4.4.2 update, Computerworld UK reports. App Ops was a feature that gave users granular control over app permissions—a feature that privacy groups have long advocated for, the report states. The EFF’s Peter Eckersley said the app’s removal is “alarming news.” He also said he was told by Google that the feature was not yet supposed to be released as it could break some apps. Meanwhile, representatives of Google are expected to argue in the UK’s High Court that a case against the company for ignoring Safari users’ requests to not have cookies placed on their devices should be dropped. A Google spokesman said, “We’re asking the court to reexamine whether this case meets the standards required in the UK for a case such as this to go to trial.” [Full Story]

WW – Google to Cache All Gmail Images, to Some Confusion

Google announced it will now cache all e-mail images by default to improve user experience and security as well as load-speed. The move has apparently caused a little confusion as to whether it affects user privacy. Ars Technica initially reported that e-mail marketers will no longer be able to receive information directly from Gmail users. ClickZ lists the six data points collected by marketers from e-mail display images. Ron Amadeo of Ars Technica wrote, “While this means improved privacy from e-mail marketers, Google will now be digging deeper than ever into your e-mails and literally modifying the contents.” However, Wired reports the move will make it easier for senders to know if an e-mail has been opened. According to an updated Ars Technica report, senders who embed a code into the e-mail will know more about which ones are viewed. MailChimp has also blogged about the changes and what they mean for users. [Ars Technica]]

Health / Medical

US – OCR Not Fully Enforcing HIPAA; Revisions Called For

A recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care. [HHS Report]

Horror Stories

US – Breaches Affect Health Providers, College System and Discussion Forum

Horizon Blue Cross Blue Shield is notifying nearly 840,000 subscribers that their personal information may have been affected by a stolen laptop, NJ.com reports. While the laptops were password-protected, the data was unencrypted. The information contained may have included names, addresses, dates of birth and Social Security numbers. Meanwhile, Kaiser Permanente has reported a privacy breach at its Anaheim Medical Center to 49,000 patients. A breach at a community college in Arizona may cost $14 million. And a Swedish daily newspaper says it has uncovered the identity of hundreds who left comments on Disqus websites. The company says its network has not been breached, however, and the publication breached privacy policies to gain the information. [NJ.com]

US – Breach May Hit 465,000 Cardholders; 2M Passwords Stolen

Financial services giant JP Morgan Chase is alerting at least 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by cybertheives. The cards were used by corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits, the report states. The company has located and fixed the vulnerability and has alerted law enforcement. CNN reports , in a separate incident, keylogging software that has been installed on countless computers around the world may have captured the login credentials of about two million users of 93,000 websites, including popular sites such as Google, Facebook, Twitter and Yahoo. [Reuters]

US – LinkedIn Seeks Class-Action Dismissal

LinkedIn is asking a federal judge “to toss out a class-action suit that claims the social networking company hacks into users’ accounts for promotional use .” In an argument filed in a California federal court, the company asserted the suit is “meritless,” contending LinkedIn members “consent to the site’s terms, which allow LinkedIn to send invitations to their contacts,” the report states. The company has also suggested the suit’s four plaintiffs should have been aware, as “any ‘reasonably prudent Internet user’ would have realized the permissions they were granting to the company after going through the various permission screens for the ‘Add Connections’ feature.” [SC Magazine]

Identity Issues

WW – AVG Unveils WiFi Do-Not-Track App for Mobile

With an influx of in-store mobile WiFi tracking, AVG Technologies has developed and rolled out a free smartphone app designed to block WiFi location tracking. The new “DNT” feature is an add-on to AVG’s PrivacyFix app for Android. When downloaded, the technology prevents the mobile device from transmitting its MAC address. AVG Vice President of Privacy Products Jim Brock said that until retailers adopt “meaningful standards,” including transparency, or provide consumers with an opt-out mechanism, “consumers are better off shutting out this kind of tracking.” [Forbes]

Internet / WWW

WW – Snowden Leaks “Gumming Up” Cloud Industry

Hightail CEO Brad Garlinghouse has said that the recent Edward Snowden revelations about government surveillance are “gumming up” the cloud computing industry. Hightail offers businesses cloud storage and document tracking services, but new difficulties have shaken the cloud business, he said. “The Snowden effect has extended the sales cycle for non-U.S. companies looking at doing business with U.S. companies,” Garlinghouse said, adding, “There are more questions about data security, encryption and (security) key management.” [CNET News]

Law Enforcement

US – Boston Police Halt License Scanning Program

The Boston Police Department “has indefinitely suspended” its use of license-plate readers to check for motor vehicle violations in light of privacy concerns. “The police inadvertently released to the Globe the license plate numbers of more than 68,000 vehicles that had tripped alarms on automated license-plate readers over a six-month period,” the report states, noting that release “triggered immediate doubts about whether the police could reliably protect the sensitive data.” Spokeswoman Cheryl Fiandaca said the department suspended the program while Commissioner William Evans reviews it “so he knows that it’s being used effectively and that it doesn’t invade anyone’s privacy.” [The Boston Globe]

Location

WW – Twitter Partnership Aims to Bolster Location Services

Twitter has reached a multi-year licensing agreement with Pitney Bowes in order to tap into its location data for mobile services. Twitter will use Pitney Bowes’ Location Intelligence to bolster location-sharing and possibly improve ad targeting, tweets and map locations. The technology can help combine “location data for tweets with buying patterns, behaviors, preferences and influencers,” the report states, as well as cross-reference tweets with nearby retailers and users. [MediaPost News]

WW – Twitter Starts Ad Targeting; Automaker Tracks from Showroom

Social network Twitter is set to begin rolling out cookie-based targeted advertising to show users ads based on their browsing history, Reuters reports. Twitter now joins other large online businesses including Google, Facebook and Amazon in using cookies to help with targeted ads. Meanwhile, AdAge reports on one automaker’s attempt to better understand the shopping behavior of customers, not only in its showroom but in its competitors’ as well. By using the services of PlaceIQ , Mazda can target ads based on highly specific consumer data—including location. A Mazda representative said that PlaceIQ helps “us define behaviors based on real-world location … The value of this to us is we’re actually getting real-world (indicators).” [AdAge]

Offshore

WW – Report: Developing Countries Need Privacy Laws to Bridge the Gap

UN trade and development body UNCTAD has released a report stating developing countries need to “adopt and enforce privacy and data protection laws” in order to bridge the “digital divide” that has arisen as a result of cloud computing. As of 2013, 101 countries had data privacy laws or bills, but only 40 developing economies could say the same. While the cloud provides many benefits, such economies must also be aware of the risks. Privacy International’s Carly Nyst said in developing countries, the absence of privacy laws and “weak accountability mechanisms” means cloud data is vulnerable, and no government or company should promote cloud services before ensuring privacy. [The Guardian]

Online Privacy

US – Internet’s Sad Legacy: No
More Secrets

In a feature for The New York Times, Nick Bilton writes that amidst reports of online tracking, “outfits like Snapchat have exploded onto the scene … holding out the promise that all those selfies, texts and e-mails will simply vanish … But the fact is, many services that claim to offer that rarest of digital commodities—privacy—don’t really deliver.” Princeton Prof. Edward Felten weighs in, cautioning, “Just because information is unavailable to you and you don’t see it doesn’t mean that it is not being captured, stored or even seen by someone else in transit.” The ACLU’s Ben Wizner suggests “change can happen” if “technologists that are disillusioned by the incessant tracking will use their skills to make surveillance more costly.” [Full Story]

WW – New Study Uses Bots to Track the Trackers

A new study led by researchers at Princeton University and Belgium’s KU Leuven has discovered patterns of discrimination based on traits such as affluence levels. Advertising and marketing firms often keep their tracking methods obscure, making it difficult for privacy advocates to demonstrate how the commercialization of online data can isolate consumers into their own “filter bubbles.” To circumvent that, the researchers have released bots that mimic real consumers—including fake profile traits such as age, gender, affluence level, location and interests—to come to a better understanding of how online businesses track, categorize and possibly discriminate against individuals. The research is being led by Princeton Prof. Arvind Narayanan—one of the early progenitors of Do Not Track. A spokesman for the U.S. Federal Trade Commission said, “We welcome research into privacy and technology issues, and we look forward to reviewing the research results.” [Forbes]

US – AT&T Offers Discount to Users Willing to Be Tracked

AT&T has recently rolled out plans to offer high-speed Internet, including a 30-percent discount for users willing to be tracked. AT&T’s Fletcher Cook said, “With AT&T Internet Preferences, you allow us to use your web browsing activity … to provide you with more relevant offers and advertising.” Cook also said the company will not sell personal information. Those choosing not to take the discount will not get targeted ads but will still have data about them tracked. “We keep your personal information only as long as needed for business, tax or legal purposes,” he said, adding, “For those that don’t (opt-in), information is safeguarded the same way.” [Forbes]

WW – Opinion: Forget Notice and Choice, Let’s Regulate Use

While there are few privacy principles more generally ingrained than that of notice and choice, Viktor Mayer-Schönberger suggests, “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” During his IAPP Europe Data Protection Congress keynote, Mayer-Schönberger called for “a new protection mechanism. A paradigm adjustment to ensure privacy in the age of Big Data” rather than giving up on privacy. “It’s not that the data is problematic,” he said, “but how it’s being used, especially in the context of complex data analysis.” [The Privacy Advisor]. [Privacy Art]

Other Jurisdictions

AU – Amendment to Change Australia’s Privacy Landscape

Following the Australian government’s passage of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the privacy landscape will change significantly. As of March, a new set of Australian Privacy Principles will come into force, the information commissioner will see enhanced powers and credit reporting laws will change. A recent Gartner survey indicated businesses are aware and are rating privacy as a higher priority than they historically have. [Australian Security Magazine]

NZ – John Edwards Is New Privacy Commissioner

Wellington-based lawyer John Edwards has been named New Zealand’s new privacy commissioner, succeeding Marie Shroff, who served as the nation’s data protection authority for the past 10 years. As barrister and solicitor, Edwards has been practicing public law and policy for more than 20 years. Justice Minister Judith Collins said, “Mr. Edwards’ public- and private-sector experience give him a highly informed perspective on data privacy and data matching issues,” adding, “He is an acknowledged privacy expert and has a broad, practical understanding of the Privacy Act.” Shroff said the role of privacy commissioner has become increasingly demanding, the report states. Edwards will take up the new position in February. [The New Zealand Herald]

AU – Australian Privacy Amendments Carry Big Penalties

David Grace of Cooper Grace Ward advises businesses dealing with personal information to prepare to comply with Australia’s new privacy amendments. Noncompliance, he writes, carries the risk of “penalties of up to $1.7 million for breaches by corporations and up to $340,000 for breaches by individuals.” Grace continues on to describe how the Privacy Amendment (Enhancing Privacy Protection) Act 2012 “essentially rewrites the existing privacy laws,” citing the introduction of the 13 Australian Privacy Principles for the handling of personal information among other facets of the amendments and offers tips for compliance. The amendments will come into effect on 12 March. [Mondaq]

AU – ALRC Examines Right to Be Forgotten; Privacy Tort

The Australian Law Reform Commission (ALRC) is examining a “right to be forgotten” and “right and to erasure,” noting “privacy groups are demanding the right to censor other people’s posts as well, if they are embarrassing or defamatory.” However, Prof. Barbara McDonald, head of the ALRC review, noted such rights would only apply with consent. “Where a person has given consent for something to go up on Facebook, they should be able to withdraw that consent,” she said, adding, “We can’t give people the right to erase history.” Meanwhile, the nation’s mainstream newspaper publishers are refusing to assist the ALRC’s efforts to design a statutory privacy tort. [News.com.au]

NZ – New Zealand Official Welcomes Draft FATCA Legislation

Inland Revenue (IR) has released draft legislation to facilitate compliance with U.S. Foreign Account Tax Compliant Act (FATCA) regulations, quoting PwC New Zealand FATCA Director Henry Risk, who said, “We welcome the release of the proposed legislation by IR and the New Zealand Government. It offers a solution to the Privacy Act issue.” The legislation will allow New Zealand financial institutions to meet FATCA reporting obligations without breaching the Privacy Act, the report states. [Voxy]

HK – Commissioner Rules Fitness Center Collected Excessive Data

California Fitness has been fined by Hong Kong Privacy Commissioner for Personal Data Allan Chiang for breaching privacy law. Following an investigation, Chiang’s office found the fitness chain put 220,000 customers’ personal details at risk by asking them to provide too much personal information and by storing copies of their identity cards. A data leak could have led to identity theft, Chiang said. “It is irresponsible for organizations to collect (detailed personal) data for identification and authentication purposes without seriously assessing the risk … of using alternative and less privacy-intrusive means.” [South China Morning Post]

Privacy (US)

US – FTC Unveils Privacy Focus for 2014

The U.S. Federal Trade Commission (FTC) has announced it will host a set of three seminars to explore consumer privacy issues and “examine the privacy implications of three new areas of technology that have garnered considerable attention.” The FTC will explore mobile device tracking, alternative scoring products and consumer-generated and -controlled health data. The first seminar, focusing on mobile device tracking, will be held in February. Meanwhile, a Government Health IT report asks, “Can the FTC regulate digital health privacy?” and looks into both sides of the data security debate between the FTC and Atlanta-based health diagnostics firm LabMD. [FTC.gov]

US – White House Must Respond to Email Privacy Petition

A petition on the White House website calls for an update to the Electronic Communications Privacy Act (ECPA) to require police to obtain a warrant before accessing online communications. The petition reached 100,000 signatures by its December 12 deadline, meaning it requires an office response from the White House. The Justice Department said earlier this year that updating ECPA has “considerable merit” but recommended civil regulatory investigations be exempted from the warrant requirement because regulators don’t have access to the warrant power. [The Hill] [Petition]

US – Will GAO Report Spur Action from Congress?

Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace .” The report recommends that Congress “consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.” Rockefeller is expected shortly to issue his own report on the topic, and the FTC is also preparing a report expected in early 2014. [Privacy Tracker]

US – O’Connor Named CDT’s President and CEO

The Center for Democracy and Technology (CDT) has announced Nuala O’Connor will head the organization. Leslie Harris, CDT president since 2005, announced in July she would resign from the post. O’Connor comes to the CDT from Amazon, where she’s worked as associate general counsel on privacy and data protection. Prior to that, O’Connor worked as chief privacy officer at the U.S. Department of Commerce and later the Department of Homeland Security before settling in at General Electric as chief privacy leader and senior counsel. She’ll lean on her past government experience in her new role and looks forward to tackling such issues as surveillance and online decision-making. [Privacy Advisor]

US – Potential Settlement Over Alleged Data-Mining Without Notice

A filing this week indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations. [Bloomberg]

US – Study: Schools Outsourcing Student-Data Collection, Neglecting Safety

Public schools are using web-based services to collect and analyze personal details about students but aren’t providing the necessary safeguards. That’s according to a new study released by the Center on Law and Information Policy at Fordham Law School. The study looked at the contracts school districts sign to outsource such analytics. Many of the contracts “failed to list the type of information collected” and others “did not prohibit vendors from selling personal details—like names, contact information or health status—or using that information for marketing purposes,” the report states. Meanwhile, EPIC has filed a complaint with the FTC aimed at protecting student data.  [The New York Times]

Opinion: The Poor Deserve Privacy, Too

Seeta Gangadharan and Aleta Sprague report on welfare programs and the amount of sensitive data collected on recipients. The massive amounts of data are stored in potentially unsecure databases for varying amounts of time and sometimes lack permissions controls for case workers, the report states. “Poor people in the welfare system don’t have privacy,” the authors write, “and they don’t factor into broader debates on protecting individuals’ liberty and right to be left alone.” One solution, the authors suggest, is to collect less data on recipients, thereby making the system more efficient and mitigating the potential risk of data loss. [Slate]

US – PCLOB Announces New Job Openings

The Privacy and Civil Liberties Oversight Board (PCLOB) has announced it is looking to hire attorney advisors “who will assist the board in carrying out its oversight and advice functions regarding federal counterterrorism matters.” According to the official job description, many of the cases and problems that will be handled by the incumbent will “involve little or no established precedent, may present delicate legal or factual situations and may involve important Constitutional principles.” In comments provided to the Daily Dashboard, PCLOB Chairman David Medine wrote, “Thanks to the funding provided by Congress to the Privacy and Civil Liberties Oversight Board in October, PCLOB is now able to expand its staff by hiring several lawyers. These new lawyers will increase the board’s ability to oversee existing federal counterterrorism programs and provide advice on the development of new programs, in order to ensure that the need for such efforts is balanced with the need to protect privacy and civil liberties.” [USAJobs]

US – Axciom Signs First Long-Term Ad Agency Deal

One of the leading brands in the data brokering business, Axciom, has signed what AdAge is reporting as a “multi-year deal with one of the biggest media agencies in the business: Starcom MediaVest Group.” The deal allows Starcom access to Axciom’s Audience Operating System, which offers audience segmentation and targeting across online and offline media, thanks to first- and third-party data. “We believe leveraging Acxiom client data with third-party media data across any channel is going to … shape the market in years to come,” said Laura Desmond, CEO at Starcom MediaVest Group, which is part of Publicis Groupe. The deal is significant, Axciom says, because it has formerly only worked with individual brands and companies. “This Starcom partnership is a huge deal for us because Acxiom has never had in its 40-year history a relationship with an agency,” said Acxiom CEO Scott Howe. [AdAge]

Security

US – NIST to Host Privacy Panel December 19-20

The National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board is set to host a two-day, open meeting in Washington, DC, according to the Federal Register. Two main topics to be discussed are President Barack Obama’s Executive Order 13636 on critical infrastructure cybersecurity and potential incentives that should be adopted for improved cybersecurity practices. The report also features an agenda for the meetings, which includes updates on legislative proposals pertaining to information security and privacy, a discussion on cryptography and an update on the Privacy and Civil Liberties Oversight Board. [GPO.gov]

Surveillance

WW – Tech Giants Urge Global Surveillance Reform

A group of top technology companies has presented a plan and published an open letter to U.S. President Barack Obama and members of Congress urging global government surveillance reform. Aol, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo together have rolled out the website reformgovernmentsurveillance.com to express their collected belief “that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.” This exclusive for The Privacy Advisor looks at the five principles presented by the group and rounds up the latest coverage of this issue as well as reports on increased local law enforcement requests of cellphone data. [Source]

US – Gov’t Gathering Five Billion Cellphone Locations Per Day

The National Security Agency’s (NSA) gathering of nearly five billion records per day on cellphone locations around the world. According to documents provided by former NSA contractor Edward Snowden, the documents’ details are stored in a vast database, and new tools to analyze the data have resulted in mass surveillance as the agency is capable of tracing cellphones globally and retracing movements. Privacy advocates have concerns about the agency’s ability to establish relationships between phone users based on such data. Chris Soghoian of the ACLU said the only way to hide your location is to “live in a cave.” Meanwhile, a Brown University panel recently discussed NSA spying and how sophisticated government agencies have become in analyzing such data. [The Washington Post]

US – Obama Panel Urging Some NSA Curbs

The New York Times reports on the conclusions of President Barack Obama’s surveillance review panel. According to the panel’s report, the NSA program collecting U.S. phone call data should continue but only under “broad new restraints” to increase privacy protections. The panel also allegedly concluded that the U.S. should codify and publicly announce the steps it’s taking to protect the privacy of foreign citizens whose phone and Internet data is collected by the NSA and create “an organization of legal advocates” to argue against government lawyers before the Foreign Intelligence Surveillance Court. Resistance to the conclusions from the NSA and others is expected, the report states. Meanwhile, Verizon Communications has taken a stance against a shareholder resolution that would require more transparency about what user data it shares with the government. AT&T recently resisted a similar shareholder resolution as well. [Full Story] SEE ALSO: [Opinion: Privacy Rules Must Not Be Ambiguous]

WW – U.S., UK Intel Infiltrates Online Gaming

New leaks from Edward Snowden revealing that the U.S. National Security Agency and the UK’s GCHQ have infiltrated large online gaming communities to gather intelligence on possible terrorist activity. According to the documents, the agencies possess massive data-collection capabilities within the Xbox Live console network—a gaming community with approximately 48 million users. Documents also reveal that if done correctly, spying within the networks could produce intelligence on users’ social networking, target identifiers such as profile photos, geolocation, biometrics and other communications. Makers of the game World of Warcraft said they “are unaware of any surveillance taking place … If it was, it would have been done without our knowledge or permission.” [The Guardian]

US – NSA Uses Ad-Tracking Tech to Locate Targets

Leaked U.S. National Security Agency (NSA) slides reveal the agency is “piggybacking” on tools used by Internet advertisers to locate potential targets for government hacking and surveillance. According to documents leaked by Edward Snowden, the NSA and the UK’s GCHQ use cookies to identify individuals. Specifically, they have used Google’s PREF cookies, which generally do not contain personal information but do include users’ e-mail addresses and numeric codes to identify their browsers, the report states. Additionally, the documents reveal that the NSA is using commercially collected data to help it locate mobile devices around the world. UC Berkeley Law Prof. Chris Hoofnagle said, “On a macro level, ‘we need to track everyone everywhere for advertising’ translates into ‘the government being able to track everyone everywhere’ … It’s hard to avoid.” [The Washington Post]

Telecom / TV

US – Groups Want Anonymized Phone Records Protected

In a petition filed with the Federal Communications Commission (FCC), privacy advocates have asked that even “anonymized” phone records be protected under the Communications Act. Section 222 of the act requires phone carriers to get customer consent before sharing data. The petitioners want the FCC “to issue a declaratory ruling that non-aggregate call records, purged of personal identifiers but with customers’ individual characteristics intact, are protected as ‘individually identifiable CPNI (customer proprietary network information)’ and phone carriers … must not sell the records without customers’ consent,” the report states. The petitioners allege AT&T violated the act by selling phone records to the Central Intelligence Agency. [PCWorld]

US Legislation

US – AZ State Sen. Wants To Ban NSA from the State

Sen. Kelli Ward (R-Lake Havasu City) says next month she will introduce legislation to prohibit state and local law enforcement from providing support to the National Security Agency (NSA) and state-owned utilities providers from providing services to NSA facilities. Ward aims to prevent warrantless surveillance of Arizona residents. Michael Maharrey, of the Tenth Amendment Center, the group that wrote the template for the bill, says Arizona is the first state to announce it will officially consider it. “That the federal government cannot force states to help implement or enforce any federal act or program is well-established in the law. It is known as the anti-commandeering doctrine,” Maharrey said. [Computerworld]

US – Candidate Wants Surveillance Protection in MT State Constitution

U.S. Senate candidate John Bohlinger (D-MT) has filed paperwork with the Montana Secretary of State that would expand the state constitution’s privacy protections to include digital data, reports KRTV News. Bohlinger is looking to get the language on November’s voter ballot, but it must first go through the legislative counsel, the Montana Attorney General’s Office and gain more than 40,000 signatures.

US – NY Sen. Proposes Changes in State’s Education Privacy Regime

New York State Sen. and State Senate Education Committee Chairman John Flanagan (R-East Northport) issued a report recommending stronger privacy protections for student data, among other initiatives. The report addresses concerns voiced during five Education Committee hearings, including third-party access to the personally identifying information of students, teachers and principals in the state’s Education Data Portal. One piece of legislation the report points to is a privacy bill “which would strengthen protections of personal information stored on the state-wide data portal, establish significant civil and criminal penalties for unauthorized disclosure of personal information and create independent oversight within SED on matters related to privacy,” Long Island Exchange reports.

US – Journalists, School Argue Over Whether Surveillance Video Is Protected Under FERPA

The Utah chapter of the Society of Professional Journalists (SPJ) has filed a brief stating that the Canyons School District has wrongfully cited the Family Education Rights and Privacy Act (FERPA) in denying access to school surveillance video footage, reports Student Press Law Center. While the school states the footage is protected because it is maintained by the school and identifies students, the SPJ says the video is not an education record and is therefore exempt from FERPA. The lawyer for the SPJ wrote in the brief that the footage “is akin to a law enforcement record, which is expressly excluded from the definition of ‘education record’ under FERPA.”

US – Petition Acquires Enough Signatures to Require White House Response

The Hill reports on a petition on the White House website calling for an update to the Electronic Communications Privacy Act (ECPA) to require police to obtain a warrant before accessing online communications. The petition reached 100,000 signatures by its December 12 deadline, meaning it requires an office response from the White House. The Justice Department said earlier this year that updating ECPA has “considerable merit” but recommended civil regulatory investigations be exempted from the warrant requirement because regulators don’t have access to the warrant power. Full Story

US – Lawmakers See Amazon Announcement as More Reason for Drone Regulation

The recent announcement by Amazon’s founder Jeff Bezos that the company expects to make deliveries by drones in the near future has given Reps. Ted Poe (R-TX) and Zoe Lofgren (D-CA) and Sen. Ed Markey (D-MA) a new hook to push bills that would regulate drone use with respect to privacy. “The issue of concern, Mr. Speaker, is surveillance, not the delivery of packages. That includes surveillance of someone’s backyard, snooping around with a drone, checking out a person’s patio to see if that individual needs new patio furniture from the company,” Poe said in front of Congress this week. [The Verge]

US – CA Court of Appeals Limits Claims, Damages Under CMIA

In keeping with previous data breach cases, the California Court of Appeal recently limited plaintiffs’ ability to state a claim and get statutory damages under the California Medical Information Act. The court ruled that “plaintiffs must plead and prove more than the mere allegation that a healthcare provider negligently maintained or lost possession of data but rather that such data was in fact improperly viewed or otherwise accessed.”The authors state the court relied heavily on “an analysis of the legislative intent behind Senate Bill No. 19.” [Law360.]

US – FTC Settles with Flashlight App Developer

The Federal Trade Commission (FTC) has settled with an Android flashlight app developer over charges that the app deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. “Brightest Flashlight Free,” developed by Goldenshores Technologies, allegedly failed to disclose within its privacy policy that it transmitted users’ precise locations and unique device identifiers to third parties. The settlement, the FTC’s first based on location data, prevents the company from misrepresenting how it collects and uses consumer data and requires it to provide a just-in-time disclosure informing consumers of how their data is used and obtain express consent. Meanwhile, a study has found most mobile apps put privacy at risk. Mobile privacy is one of three focuses for the FTC in 2014. [FTC.gov]

US – Potential Settlement Over Alleged Data-Mining Without Notice

A recent filing indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion, Bloomberg reports. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations. [Full Story]

US – OCR Not Fully Enforcing HIPAA; Revisions Called For

A recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care. [Full Story]

US – State AGs: The Most Important Regulators in the U.S.?

The last year was an eventful one in the area of data and online privacy, with more laws, more enforcement actions and generally increased attorney general scrutiny. Given that we are not likely to see federal preemption of state authority in this area anytime soon—and that the Federal Trade Commission (FTC) is encouraging state action on data privacy—it remains critical that privacy professionals expand their focus beyond the FTC and data protection authorities to consider AGs, who are rapidly becoming the most important data privacy regulators around, write Divonne Smoyer  and Aaron Lancaster. In this exclusive for The Privacy Advisor, Smoyer and Lancaster look back at 2013 to make predictions for the year ahead. [Full Story]

US – Where the FTC is Headed in 2014

On Capitol Hill, all four FTC commissioners testified before a House Energy and Commerce subcommittee to defend their regulatory role and ask for more authority in the rapidly developing digital economy. According to Politico, the commissioners faced tough questions from the Republican-dominated subcommittee on its current budget, resources and authority, but FTC Chairwoman Edith Ramirez said her agency is limited in its current authority and that baseline federal privacy legislation is needed. The scope of the FTC’s authority, the privacy issues with which it’s grappled and the day-to-day work of its staff on consumer privacy issues were also the focus during Wednesday’s IAPP Practical Privacy Series in Washington, DC, reports The Privacy Advisor , including remarks by Rep. Marsha Blackburn (R-TN) and FTC Bureau of Consumer Protection Director Jessica Rich. The FTC also last week announced it will host a set of three seminars to explore consumer privacy issues The first seminar, focusing on mobile device tracking, will be held in February. [Full Story]

US – Legal Reform Needed in U.S., Not Just Europe

“I recall that in the early 1990s and early 2000s, it was often a struggle to get people outside of Europe to take EU data protection law seriously,” writes Wilson Sonsini Partner Christopher Kuner, adding, “The perceived lack of enforcement in the EU, and the dynamic legislative climate in the U.S., meant that more attention was given to U.S. developments.” But now, with the advent of the European Commission’s proposed General Data Protection Regulation, the situation is reversed and “U.S.-based lobbyists have descended in hordes on the EU institutions,” making Brussels “the center of the global privacy world.” In this Privacy Perspectives post, Kuner asks, “Why doesn’t the U.S. work as hard to improve its own privacy law as it does to lobby for changes in the EU?” He makes the case for why, when lobbying for privacy reforms, the U.S. should look in the mirror. [Full Story]

US – Google Wins Dismissal in Privacy Policy Case

Google has won its dismissal of a lawsuit challenging its privacy policy, which allows it to combine user data across its different products. U.S. Magistrate Judge Paul Grewal ruled the plaintiffs failed to prove they had suffered losses as a result of Google’s actions, but he also ordered the plaintiffs can refile their claims. “A plaintiff must do more than point to the dollars in a defendant’s pocket,” Grewal wrote in his ruling. In order for the suit to move forward, the plaintiffs have to demonstrate how Google’s use of their data “deprived the plaintiff of the information’s economic value.” [Bloomberg]

US – ALEC Publishes Model Bill for State Education CPOs

The American Legislative Exchange Council (ALEC) is promoting a model bill that would require state school boards to appoint a chief privacy officer and publish an inventory of student data collected by the state, among other requirements, reports Education Week. The bill was modeled after a recently passed Oklahoma law, and while other advocacy groups are praising ALEC’s efforts, they have expressed concerns about the lack of limits placed on noneducational use of the data. “Focusing on transparency and accountability is always a good start, but I’m not sure that (the ALEC model bill) is comprehensive in covering the education-technology landscape,” said Joni Lupovitz of Common Sense Media. Editor’s Note: The IAPP’s Privacy Tracker blog featured a post highlighting a similar model bill earlier this fall. [Full Story]

Workplace Privacy

EU – Revelations That Ikea Spied on Its Employees Stir Outrage in France

The New York Times reports on the range of internal and personal investigations generated by IKEA’s France-based stores. A regional court in France is now looking into whether company executives in France violated national law by ordering personal investigations of hundreds of individuals over a 10-year span. Investigations were conducted by the company for several reasons, including job applicant background checks, cases against employees accused of wrongdoing and ways to counter consumer complaints brought against the company in courts, and, according to the report, IKEA France approved more than 475,000 euros for the hiring of private investigators. A lawyer representing one plaintiff in the case said, “It is hard to conceive that this kind of thing happens in a democratic society like France … This is not Soviet Russia.” [The New York Times]

+++

 

 

Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: