15-28 February 2014


JP – Japan and U.S. to Share Fingerprint Data

Japan’s Cabinet has approved a bill designed to implement the recently signed Agreement on Preventing and Combating Serious Crime with the U.S. If passed, the bill will speed up the sharing fingerprint data on suspected terrorists and people engaged in serious crimes, which now must be routed through Interpol. Under the agreement, each country will be able to send a suspected criminal’s fingerprints to the other to see if there are matches in its database. [Kyodo News International] See also: [The next privacy breach may also steal your fingerprints]

US – NTIA’s Facial Recognition Talks Trigger Debate

This week, in the second in a series of meetings to develop a voluntary code of conduct around the application of facial recognition technology, the scope of the code was debated. Led by the National Telecommunications and Internet Administration’s (NTIA) John Verdi, the talks centered on whether or not there should be a dual use structure for facial recognition’s commercial and government use; specifics on how the technology actually works and links with databases, and how much more time should be spent fact finding on facial recognition. [The Privacy Advisor]

Big Data

US – White House, MIT Co-Host Privacy Workshop

The White House Office of Science and Technology Policy and MIT co-hosted “Big Data and Privacy: Advancing the State of the Art in Technology and Practice” on March 3. The daylong event included keynotes from White House Counselor John Podesta and Secretary of Commerce Penny Pritzker, along with panels and roundtable discussions. The White House remains committed to an open, reliable Internet but understands it requires the application of “timeless privacy values to this technology” as has been applied to each generational shift in modes of communication, from the telephone to e-mail. That was part of the message from White House Counselor John Podesta in his keynote address at MIT’s event today, “Big Data Privacy: Advancing the State of Art in Technology and Practice.” This feature highlights Podesta’s comments for today’s event, ongoing until 5 p.m. this evening and being livestreamed here. [Privacy Advisor] [EU: Telecom firms sees gold in big data despite privacy concerns] See also: [Data privacy, machine learning and the destruction of mysterious humanity]

US – Civil Rights Groups Challenge Data Collection

More than a dozen advocacy groups have written a letter to the White House asking it to craft legislation that would put teeth into the Consumer Privacy Bill of Rights. The groups are backing a set of principles aimed at pushing back against data collection they argue is used to discriminate against minorities in law enforcement, hiring and commerce. Groups are backing principles to end “high-tech profiling,” introduce protections in automated decision-making systems, put pressure on the private sector to be more transparent about data and “protect people from inaccurate data,” the report states. “Big Data has supercharged the potential for discrimination by corporations and the government in ways that victims don’t even see,” said Leadership Conference on Civil and Human Rights’ Wade Henderson. [The Washington Post] [Full Story] [letter to the White House]

WW – Proposal: Use Oil Spill Remedies on Data Breach Problem

After the string of data breaches that affected Target, Neiman Marcus and other retailers, the security vulnerability of Big Data has come under scrutiny. The proliferation of data breaches also has banks, retailers, credit card companies, regulators and others all asking one question: How do we solve the data breach problem? At the Maine Law Review 2014 Privacy Symposium last week, Capital University Law Prof. Dennis Hirsch suggested we look to environmental law to find an answer. While Hirsch admits his paper’s recommendations are “intended (to be) provocative suggestions (rather) than full-fledged proposals … to spark creative thinking about solutions,” [The Privacy Advisor]


CA – Court Grants Plaintiffs Anonymity in Medical Marihuana Case

The Federal Court of Canada has agreed that denying plaintiffs anonymity in a court proceeding “would disclose the very information they seek to protect and exacerbate the damage and/or risk of harm that has already been caused by Health Canada’s mailing that identified them” as taking part in the Medical Marihuana Access Program. Health Canada had argued public opinion on marihuana use is now “more accepting,” the report states, but the court rejected that argument, stating, “Disclosing their identities discloses that a course of treatment has been prescribed by them by a medical doctor and that they suffer from serious health conditions and symptoms.” [Canada NewsWire]

CA – Why Are Police Not Subject to FOIP?

Why are police not subject to Saskatchewan’s information access and privacy laws? “Police chiefs in both Regina and Saskatoon have expressed concern that the Freedom of Information and Privacy (FOIP) Act would put police work and sensitive information at risk,” a report states, noting the province’s former privacy commissioner, Gary Dickson, disagrees. “Being subject to FOIP doesn’t mean that a public body loses all control and all of the records can go out the door,” he said. [The Regina Leader-Post] [SK: Privacy, police and politicians: Sask. gov’t responds to call for police to become subject to information laws] See also: [Ontario Provincial Police weighing mischief charge in deleted Liberal emails probe]

CA – Experts Examine Next Step for Alberta’s PIPA   

James Bond, Robert W. Pakrul and Eileen Vanderburgh look back at the November decision by the Supreme Court that Alberta’s Personal Information Protection Act (PIPA) is unconstitutional and consider what will come next. “Varying degrees of scope of amendment could possibly be advanced to deal with the constitutional issues arising from PIPA’s structure, which establishes a broad prohibition against any information collection, use or disclosure absent consent,” they write. Alberta Information and Privacy Commissioner Jill Clayton’s recommendation is “that the most appropriate scope of change is the narrowest one,” they write, citing her desire to “would preserve the delicate balance between freedom of expression rights, and legitimate privacy expectations of individuals, which PIPA is designed to protect.” [Mondaq]

CA – Court Generates List of Factors for Metadata Cases

A recent Nova Scotia Court of Appeal case on “questions of relevance, proportionality and privacy in the context of whether or not to order the production of electronic information.” Laushway v. Messervey resulted in a court order requiring a plaintiff to produce a hard drive containing metadata for forensic review, and the court has created “a list of factors for judges to consider when deciding whether to grant a production order in similar circumstances,” the report states. Among the factors the court recommends in its list are privacy, balancing, objectivity, discoverability and reliability. [Mondaq]


US – Cline: U.S. Leads World in Privacy Violation Fines

Jay Cline writes on EU leaders’ belief that the U.S. has not adequately enforced the EU-U.S. Safe Harbor agreement, citing research showing that is not the case. “Any way you cut the data,” Cline writes, “the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.” Cline’s report looks at the history of Safe Harbor, highlighting his team’s research on fines of $100,000 or more imposed by government agencies for privacy violations. “We also set out to rank-order the top privacy fines in history,” he writes. “When we did this, the U.S. dominated the leader board.” [Computerworld ]

US – AGs Want State Breach Laws Kept on Books

Given that there is no federal law regulating data breaches, most states have created their own rules on data breach disclosures. And state attorneys general (AGs) are interested in keeping it that way.. While a federal baseline law would be welcome, state AGs want to keep their laws in place. “States have been the leaders, the cops on the beat defining what is reasonable and not reasonable for their own states and heading up investigations on data breach cases for as long as there have been such things,” said Maryland Attorney General Doug Gansler. “It’s almost always a local issue. … We actually get things done.” [Politico ] See also: [Maryland: Bill would require drivers in serious accidents to give police cell phone information]

US – Survey: Users More Hesitant to Click on Ads, Use Unknown Apps

TRUSTe has released its third annual consumer confidence privacy research survey, which found that privacy concerns are up significantly from last year, with 74% indicating they are more concerned about privacy than they were a year ago. While 70% said they are more confident than one year ago that they can manage their online privacy, that may have negative repercussions for industry, with those surveyed indicating that means not clicking on ads or using apps they don’t recognize. [Full Story]


CA – Citizenship and Immigration May Share More Data

A memorandum prepared for Citizenship and Immigration Minister Chris Alexander indicatesthat “the government is building an information technology system that could be used for the systematic exchange of biometric data with Britain, Australia and New Zealand” in addition to the perimeter security pact with the U.S. “Systematic sharing is preferable to manual case-by-case sharing because it can generate faster responses and be done at higher volumes,” according to the memo. The Office of the Privacy Commissioner has voiced concern “about high-volume, routine information sharing with other countries, saying it may be impossible to control what happens to that data once sent abroad,” the report states. [The Canadian Press]


WW – Dutch Telecom and Silent Circle to Encrypt Phone Calls

Dutch telecommunications provider KPN has struck a deal with encryption service Silent Circle to provide customers in Belgium, Germany and The Netherlands with encrypted phone calls and text messages. Silent Circle currently has servers in Canada and has plans for one in Switzerland. KPN has said it plans to build a server in The Netherlands so that data doesn’t leave the country. This June, KPN customers will be able to download Silent Circle services Silent Phone and Silent Text. Silent Circle has also been working with Geeksphone to create the Blackphone, a smartphone designed to protect user privacy. [PC World] See also: [New TextSecure delivers smoother encryption]

WW – Cryptographers at RSA: “Users Seem to Now Mind Giving Up Privacy”

If there are buzzwords at this year’s RSA conference, they are without question “mistrust” and “NSA.” And if there’s anywhere irrefutable impact of the “Summer of Snowden” reverberates, it’s through the corridors at the Moscone Center in San Francisco, CA. During the Tuesday morning keynote, panelists Whitfield Diffie of SafeLogic, Brian LaMacchia of Microsoft Research, Paul Kocher of Cryptography Research, Inc., MIT’s Ron Rivest and Adi Shamir of Israel’s Weizmann Institute of Science expressed “shame” and “shock” at the NSA revelations but also offered up a vision of where cryptography is going and how it might affect the privacy industry.[Angelique Carson]

EU Developments

EU – German Court: Facebook Must Comply with Data Protection Law

The Higher Court of Berlin has ruled Facebook must comply with German data protection law. However, that decision, which confirms a 2012 decision finding the social network’s “Friend Finder” violated the country’s law, has “directly contradicted an earlier decision by another court,” the report states, citing a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein. The Higher Court of Berlin also found portions of Facebook’s privacy policy and terms of service violate the law. The Federation of German Consumer Organisations, or VZBV, called the decision “a milestone for data protection in the Facebook era.” [PC World] See also: [Angela Merkel: Let US spies keep their internet. The EU will build its own]

EU – Dutch Law Enforcement Calls for Improvements

Dutch law enforcement officials want improvements in how communications data is collected and stored, citing a justice ministry evaluation of The Netherlands’ data retention law. “Law enforcement officials that participated in the evaluation called for an expansion of the retention period for the data to a full 12 months, as well as an end to distinctions between telephony and Internet data,” the report states, noting, “For mobile calls, they also want not only the time when the call started recorded but also the time it ended.” [Telecompaper]

EU – Swedish Telecom Privacy Rules Go Into Effect in September

PTS, Sweden’s postal and telecoms regulator, is establishing requirements for telecoms operators to protect their customers’ personal information and communications. “Among other things, the new regulations deal with the question of who is allowed to access and handle customer information. PTS said only people with the correct training and who need the information in order to carry out their work will be able to access sensitive details about customers and their communications,” the report states. The regulations are scheduled to go into effect on 1 September. [Telecompaper]

EU – Will Facebook-WhatsApp Deal Be Probed by EU DPAs?

The Facebook-WhatsApp deal may trigger any privacy investigations from data protection authorities (DPAs) across the EU. Article 29 Working Party Chairman Jacob Kohnstamm said the acquisition may get the interest of DPAs. He said that DPAs “could, having heard about the merger, decide to do research into the product as well” and subsequently all “28 data protection regulators could open an investigation.” The main concern, he said, is the collection of data from users’ mobile address books when they download the application. Meanwhile, Finland-based Nokia is facing criticism after it was revealed that its Lumia line of Windows Phones transmitted personal data—including that of some senior members of Finland’s government—to Microsoft servers in the U.S. [Bloomberg Businessweek]

UK – Commissioner Graham Tenure Extended Two Years

UK Information Commissioner Christopher Graham will remain in his current position for at least the next two years after the Queen officially approved his reappointment. The UK Ministry of Justice said the official start date of his reappointment begins on June 29. Graham said he is “delighted” to remain in office. “I don’t underestimate the challenge of leading the ICO at this time,” Graham said. “But unlike any other public body that I know, it falls to the ICO to champion both the right to privacy and the right to know for citizens and consumers—here in the UK, in Europe and internationally … It’s a big responsibility and the next phase certainly won’t be dull.” [V3.co.uk]

EU – The CNIL Is Making Its Mark

With an uptick in inspections, 43 formal compliance notices, its president named the new chair of the Article 29 Working Party and a record fine against Google for noncompliance with the French Data Protection Act, the French data protection authority, the CNIL, is asserting itself in the international data protection scene. Olivier Proust of Field Fisher Waterhouse offers concrete examples of the CNIL’s growth, resourcefulness and experience, noting “companies should pay close attention to the actions of the CNIL as it becomes a more powerful authority in France and within the European Union.” In a separate report, Proust looks at concerns regarding privacy and France’s new law on real-time geolocation. [Privacy Tracker] [Google acquires password sounds startup SlickLogin]

WW – On Leveraging Big Data While Complying with Law

The Big Data Project (BDP), an Open University study, is looking into how organizations can leverage Big Data while complying with EU data protection principles. Sara Degli Esposti, a research fellow at the Open University Business School, discusses the study, asking, “What kind of legislation do we need to create that positive system of incentive for organizations to innovate in the privacy field?” The BDP “represents a chance for you to contribute,” she writes, “and learn about, the debate on the reform of the EU Data Protection Directive.” The BDP is open to employees concerned with data management or use “from all types of organizations … with interests in Europe.” [Privacy Perspectives]

Facts & Stats

US – AT&T Reveals Gov’t Requests for Data

AT&T has revealed it received 302,000 data requests in 2013 related to criminal and civil cases. The requests from local, state and federal authorities include more than 248,000 subpoenas, 37,000 court orders and 16,000 search warrants, the report states. AT&T was also asked nearly 38,000 times “to share real-time and historical locations of its customers” and another 94,000 times to share location data in an “emergency” situation. The AT&T report is similar to that of Verizon, which last month also released its report on government requests for data. [CNET News]

US – OWASP Looking for Volunteers for Privacy Top 10 Project

In the cybersecurity community, the OWASP Top 10 Project is something of a touchstone. An open-source list of “the most critical web application security flaws,” it represents a consensus of experts as to what threats organizations should be most concerned with as they go about developing their projects. The project, first developed in 2007 by the Open Web Application Security Project and refreshed in 2010 and 2013, has been translated into seven of the world’s major languages, so it is a truly global tool. Sound like something privacy pros could use? Well, Florian Stahl, CIPP/IT, thought so, too. So, this month, he has launched the OWASP Top 10 Privacy Risks Project, and he’s looking for help. Full Story

WW – On Breach Response, 50 Percent of Execs Are in the Dark

One half of executives surveyed have not been trained in what to do in response to a data breach. The report surveyed 341 senior business leaders from around the world, almost half of whom are C-suite-level executives. The unit then conducted a series of in-depth interviews with 17 senior executives on managing digital assets. Of the key findings, the report states that data risk awareness does not extend evenly across most organizations. The most knowledgeable departments tend to be IT and finance, due to the sensitive information they deal with. “This low level of awareness across the company is equally true vertically,” the report states. [The Economist Intelligence Unit’s Information Risk]

US – Cline: U.S. Leads World in Privacy Violation Fines

Jay Cline writes on EU leaders’ belief that the U.S. has not adequately enforced the EU-U.S. Safe Harbor agreement, citing research showing that is not the case. “Any way you cut the data,” Cline writes, “the U.S. dwarfs Europe and every other jurisdiction in doling out fines for data privacy violations. If privacy is measured by its weight in gold, America is the safest place on earth for personal data.” Cline’s report looks at the history of Safe Harbor, highlighting his team’s research on fines of $100,000 or more imposed by government agencies for privacy violations. “We also set out to rank-order the top privacy fines in history,” he writes. “When we did this, the U.S. dominated the leader board.” [Computerworld]


UK – Court: Facebook Must Comply with Data Protection Law

The Higher Court of Berlin has ruled Facebook must comply with German data protection law. However, that decision, which confirms a 2012 decision finding the social network’s “Friend Finder” violated the country’s law, has “directly contradicted an earlier decision by another court,” the report states, citing a verdict of the Administrative Court of Appeals of the State of Schleswig-Holstein. The Higher Court of Berlin also found portions of Facebook’s privacy policy and terms of service violate the law. The Federation of German Consumer Organisations, or VZBV, called the decision “a milestone for data protection in the Facebook era.” [PC World]


US – Utah Considers Expanding DNA Collection Practices 

The Utah Senate Judiciary, Law Enforcement and Criminal Justice Committee has approved a bill that would allow law enforcement to collect DNA samples from those convicted of felonies at the time of booking. Rep. Steve Eliason (R-Sandy), who proposed HB 212, says DNA testing helps “law enforcement know much sooner who they have in custody and how they should handle and treat them.” However, the Utah Association of Criminal Defense Lawyers says the bill violates the rights of innocent people. [Deseret News]

Health / Medical

US – ONC Announces Plans for Privacy Tools for Providers

The Office of the National Coordinator for Health Information Technology (ONC) is working to provide more tools to help providers, including a downloadable security risk assessment tool. Laura Rosas, senior policy advisor at the Office of the Chief Privacy Officer said at the HIMSS14 conference on Tuesday that “small practices don’t really understand what a risk assessment is and what the process entails,” adding, “we know from Office for Civil Rights audits that these practices simply aren’t doing the assessment.” The ONC already offers tools in the way of a training game and notice of privacy practice templates. [Healthcare IT News] SEE ALSO: [Can You Trust What’s In Your Electronic Medical Record?]

US – HIPAA Changes Mean Tightening Vendor Relationships

With the changes to the HIPAA Privacy and Security Rules, the responsibilities and relationships between covered entities and their vendors have moved to the forefront of information security management. Particularly, renewed emphasis has been placed on vendor security management and the responsibility that covered entities bear on performing appropriate due diligence. [The Privacy Advisor] See also: [E-patient record system makes uneven playing field, says MD] and [Healthcare organizations under siege from cyberattacks, study says]

Horror Stories

WW – Info from 360M Accounts Available for Sale; Other Breaches Reported

Hold Security LLC has announced uncovering “stolen credentials from some 360 million accounts that are available for sale on cyber black markets,” citing risk beyond stolen credit card data “because of the chance the sets of user names and passwords could open the door to online bank accounts, corporate networks, health records and virtually any other type of computer system.” Separately, Identity Finder has released research indicating “an estimated 630,000 social security numbers on nonprofit organizations’ tax returns … have been posted online,” and Indiana University has reported a breach involving the names, social security numbers and addresses of 146,000 current and former students. Meanwhile, the House Committee on Oversight and Government Reform is seeking documents related to the Target breach and has asked for all documents to be submitted by March 10. [NBC News]

PR – Puerto Rico Health Org Faces $6.8M Penalty

Triple-S Management has said the Puerto Rico Health Insurance Administration (PRHIA) plans to levy a $6.8 million fine stemming from a security breach to the health insurer’s subsidiary, Triple-S Salud (TSS). A filing with the Securities and Exchange Commission indicates the penalty is related to a breach affecting 13,336 Dual Eligible Medicare beneficiaries. TSS mailed notification letters to some recipients last September, which included some of the recipients’ Medicare Health Insurance Claim Numbers, which are considered protected health information. TSS said, “We take this matter very seriously and are working to prevent this type of incident from happening again.” [The Wall Street Journal]

US – 300,000 Records Breached; Calls for Cybersecurity Continue

A “sophisticated” cyber-attack has compromised the personal information—including names, Social Security numbers and birth dates—of more than 300,000 University of Maryland faculty, staff and students. Meanwhile, The Hill reports calls for congressional action on cybersecurity are continuing. One expert hopes the release last week of a cybersecurity framework by the White House will help spur Congress to take action. In a video by The Wall Street Journal, experts discuss how Target managed the fallout from its breach and its effect on the company’s bottom line. According to one report, nearly 800 million personal records were exposed in 2013. One organization has put together a “Breach Level Index” to assess the varying degrees of a breach’s impact, and Steptoe & Johnson’s Jason Weinstein discusses preventative measures businesses can take. [CNET] and [Well.ca loses customer credit card data in security breach]

Identity Issues

WW – The Rise of Bring-Your-Own Wearable Device

The rise of wearable technology and how it has been and will be integrated into the work environment. Early adopters include Tesco, which gives smart armbands to workers to help track goods, distribute tasks and measure location movements. Another firm, Pru Health, offers employees Fitbug health devices as part of its “Vitality” program. These devices supplied by employers, as well as bring-your-own wearable devices (BYOWD), have robust personal data-gathering potential—including swaths of sensitive personal information. As smart glasses and wearable cameras become more integrated into the work environment, businesses will have to consider BYOWD policies to protect employees’ privacy expectations, the report states. [V3.co.uk] see also: [A Privacy Pro Takes a Test Drive With Google Glass] SEE also: [Cops recover 100 stolen IDs]

Intellectual Property

US – Media Orgs Want Gmail Docs Released

A coalition of news organizations is asking U.S. District Court Judge Lucy Koh to unseal court documents related to a Gmail lawsuit . “This case has the potential to not only affect the rights of the millions of class members but also to set precedent on vital issues of first impression for privacy law,” the coalition wrote in papers filed in U.S. District Court. The news organizations contend that neither Google nor consumers involved in the suit have demonstrated a need for the documents to be sealed, writing, “Instead, the parties have asked the court to reflexively seal thousands of pages of documents in a case that could impact the privacy rights of millions of Americans.” [MediaPost] See also: [US: News Orgs Oppose Attempt To Seal Records In Gmail Privacy Case] AND ALSO: [Updated: Canadian ISP to name subscribers linked to illegal downloading]

Internet / WWW

WW – Oracle to Buy BlueKai for $400M

Oracle has agreed to acquire BlueKai for a reported $400 million, though terms were not publicly disclosed. Among BlueKai’s offerings is technology that allows for data transfer independent of cookies but with “the same transparency and notices that cookies have.” The report says Oracle plans to integrate BlueKai with other cloud marketing products Responsys and Eloqua to “give its customers the ability to more precisely personalize messages to consumers and B-to-B buyers—the people those products are used to reach.” [AdAge]

Law Enforcement

CA – Public Database of Child Sex Offenders to be Part of Pedophile Crackdown

The federal government plans to create a publicly accessible database of high-risk child sex offenders as part of a bill that takes aim at those who prey on young people. The legislation introduced this week would also require registered sex offenders to provide more information when they travel abroad and permit more sharing of information between federal agencies. The most contentious element of the package could be the plan for a public database, which some warn can lead to vigilante-style attacks against sex offenders released from prison. Public Safety Minister Stephen Blaney said the government would make no apologies for the approach. The bill would allow the RCMP to begin discussions with provincial and municipal authorities to establish the national database using existing information on high-risk child sex offenders who have been the subject of a notice to the public. “What this national database will do is to make sure that this information is available throughout the country in a standardized manner,” Blaney said. In 2012-13, more than 3,900 sexual offences occurred in Canada against children, an increase over the previous year. [Source] See also: [Toronto police to test out lapel cameras]


US – Franken to Reintroduce Geolocation Privacy Bill

U.S. Sen. Al Franken (D-MN) has announced plans to reintroduce the Location Privacy Protection Act, which would require express consent in order for nongovernment entities to obtain geolocation information from an electronic communication device, among other provisions. The bill would apply to a range of businesses that interact with customers’ geolocation data and would allow enforcement by the federal attorney general, state attorneys general and private citizens. [Inside Privacy]

US – Site to Allow Users to Opt Out of Location Tracking

The Future of Privacy Forum (FPF) will today launch www.smartstoreprivacy.org, a website offering consumers the ability to opt out of location tracking by entering in their phones’ MAC address. A coalition of 11 mobile analytics companies have agreed to honor the requests to opt out, which will take effect in 30 days. The FPF is working with participating companies on developing signs to alert shoppers about the site, said FPF Executive Director Jules Polonetsky, [MediaPost]

WW – Privacy Issues Raised by 3D Room-Mapping Program

Google recently announced Project Tango, an Android-based phone with built-in, super-advanced 3D sensors capable of mapping a given area around the device, including the interiors of buildings. In its announcement, Google asked, “What if you could capture the dimensions of your home simply by walking around with your phone before you went furniture shopping?” The technology is currently only available to 200 developers, and Google says the technology is still in the early stages, but the report suggests potential privacy implications, including where the maps would be stored and who would have access to them. [Motherboard]


Indian Gov’t Plans to Create DPA, Give Citizens Privacy Rights

The government plans to grant all residents a right to privacy and establish a data protection authority (DPA) to rule on issues involving privacy and impose penalties for violations. Under the draft “Right to Privacy” bill, the DPA will investigate data breaches and issue orders to protect those affected. The draft bill also prohibits “covert surveillance of individuals which leads to breach of their privacy, unless authorized by law.” Exemptions to the bill have been proposed for national safety or security and maintenance of public order. [The Economic Times]

CN – PCPD Releases Guidance on Privacy-Management Programs

The Office of the Privacy Commissioner for Personal Data (PCPD) has released a guide outlining the foundations of privacy management programs. The guide is aimed at helping organizations as they develop or improve programs. The South China Morning Post reports from the PCPD’s event, spotlighting how privacy scandals, such as the much-publicized Octopus incident , can result in businesses choosing “to reconsider their approach to data protection.” Octopus Holdings Chief Executive Sunny Cheung said, “Legal rights do not save you from dissatisfied customers,” explaining the company now collects “minimal” personal data and avoids “vague terms that could mislead customers about data policies,” the report states. [The Privacy Advisor]

Online Privacy

WW – New Book on Social Network Privacy by danah boyd

It’s Complicated: The Social Lives of Networked Teens, a new book by danah boyd, is now available. K Royal describes the work as “easy to read, applicable to the privacy field and full of interesting, well-considered research.” Royal provides an overview of the book’s eight chapters and considers the relevance of the subject matter for privacy professionals and the general public alike. “I can do nothing less than highly recommend this book” to those interested in privacy or issues affecting teens, Royal writes. [The Privacy Advisor]

US – Facebook-WhatsApp Deal Prompts Privacy Concerns

At next week’s Mobile World Congress, keynoter Facebook CEO Mark Zuckerberg and how privacy will take on a large role at the event this year. And while Telefnica, Deutsche Telekom AG, Orange SA and KPN have begun offering users more control, Facebook’s deal to buy WhatsApp has some concerned about its privacy implications. Schleswig-Holstein Data Protection Commissioner Thilo Weichert has said WhatsApp users should switch to a more secure messaging service. But, in a blog post, WhatsApp said “nothing” will change for its users. The Washington Post reports that WhatsApp Co-Founder Jan Koum’s years of living in the Ukraine contribute to the strong focus on user privacy. [Bloomberg Businessweek]

WW – Dating App Vulnerability Allowed for Pinpointing User Locations

Tinder, an app facilitating spur-of-the-moment dating, reportedly has a security problem leading to users’ exact physical locations being divulged without their consent. Instead of rounding to the nearest mile when searching for potential dates in your immediate vicinity, the app’s servers were giving out data that would allow hackers with “rudimentary skills” to determine a user’s location within 100 feet. Security researchers told Tinder about the security lapse in October; the company responded in December and addressed the problem, the report states. [The Washington Post]

US – Senate Candidate Posts “Gruesome” Medical Images Online

A U.S. Senate candidate’s Facebook postings “of gruesome X-ray images of gunshot fatalities and medical injuries to his Facebook page” have raised ethics and privacy concerns. Milton Wolf, a Kansas radiologist “anchoring a campaign for the Republican nomination with calls for federal healthcare reform,” has said the images are legal and were uploaded for educational purposes. However, the images included disparaging comments about the victims, the report states. “The dignity and privacy of the individual should be protected,” said Center for Practical Bioethics President John Carney. “It doesn’t sound like they’re being protected if they’re, obviously, on Facebook.” [The Topeka Capital-Journal]

US – BBB Finds Site Did Not Comply With COPPA

The Better Business Bureau Children’s Advertising Review Unit has found that a Harper Collins website did not comply with the Children’s Online Privacy Protection Act (COPPA). “The Ruby Redfort site, touting a book series that features a 13-year-old girl detective, didn’t have procedures in place to obtain verifiable parental consent before collecting names, street addresses and e-mail addresses from children,” the report states, noting COPPA prohibits websites from “knowingly collecting” such data from children under the age of 13. Meanwhile, The Washington Post and Forbes report on the emergence of anonymous apps and social networking sites filling “a growing demand among teens for more fun, less accountability and more privacy online.” [MediaPost]

Other Jurisdictions

MX – Regulator Plans to Issue “Abundance” of Fines

Mexico’s data protection authority (IFAI) has issued a statement announcing it will issue “an abundance of fines in 2014 following an unprecedented increase in violations of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties,” Reed Smith’s Cynthia O’Donoghue writes. The IFAI has the authority to issue fines for such violations of up to $1.5 million and up to three years imprisonment for data controllers whose databases are breached under their control, with double penalties for “sensitive data.” [Mondaq]

HK – Hong Kong PCPD Releases Guidance on Privacy-Management Programs

The Office of the Privacy Commissioner for Personal Data (PCPD) has released a guide outlining the foundations of privacy management programs. The guide is aimed at helping organizations as they develop or improve programs. The South China Morning Post reports from the PCPD’s event, spotlighting how privacy scandals, such as the much-publicized Octopus incident, can result in businesses choosing “to reconsider their approach to data protection.” Octopus Holdings Chief Executive Sunny Cheung said, “Legal rights do not save you from dissatisfied customers,” explaining the company now collects “minimal” personal data and avoids “vague terms that could mislead customers about data policies,” the report states. Editor’s Note: PCPD Allan Chiang will be one of the keynote speakers at The IAPP Asia Privacy Forum in Hong Kong on March 31. [The Privacy Advisor]

SK – South Korea’s FSS Announcing New Measures

South Korea’s Financial Supervisory Service (FSS) is preparing to announce measures to “better protect personal information (PI) handled by financial firms following a recent massive data leak,” Yonhap News Agency reports. The measures include limiting financial firms from requesting “too much” PI. “The newly crafted measures may go into effect starting in April after preparation works,” said an FSS official. The breach that prompted the measures involved PI on “half of the country’s 50-million population” from three credit card firms—KB Kookmin, NH Nonghyup and Lotte— and Kookmin Bank. [Full Story]

BR – Amendments to Brazil’s Proposed Internet Privacy Law Jeopardize Privacy

Activists have launched an online campaign aimed at removing one of the recent amendments to Brazil’s Internet bill of rights that is expected to be voted on by Congress at the end of the month. The amendments put net neutrality and user privacy in jeopardy, citing specifically Article 16, which requires service providers to retain personal data of consumers. [Global Voices]

TU – Turkish President Signs Internet Law

Turkish President Abdullah Gul has signed a law giving the government the power to monitor Internet activity and block content it deems illegal or to be “violating privacy” of a person. The law also requires Internet providers to retain records on users for two years. While the prime minister argues the change will protect privacy and further democracy, critics say it is an attempt to squash freedom of speech in advance of the upcoming elections. [The Wall Street Journal]

SA – Complying with South Africa’s New Privacy Laws

South Africa’s Protection of Personal Information Act (POPI), which was signed into law last November but has yet to come into practice. “Once a commencement date is announced, companies will only have one year to get their houses in order,” according to Accenture’s security practice lead. The law has brought the country in line with international data privacy laws and is based on the EU directive. [ITWeb]

AU – Australian Privacy Principles Finalized, Effective March 12

The final iteration of the Australian Privacy Principles (APPs) has been issued by the Office of the Australian Information Commissioner following public consultation. Public and private organizations must adhere to the APPs when they go into effect on March 12 along with the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which gives Australian Privacy Commissioner Timothy Pilgrim a mandate to seek civil penalties of up to $340,000 for individuals and $1.7 million for businesses in cases of serious beach incidents. Pilgrim said, “Most of the requirements contained in the APPs are not new, and business and government should be ready to hit the ground running come March 12.” [Computerworld Australia]

AU – Hacked Companies Off The Hook Under New Privacy Laws

The Office of the Australian Information Commission (OAIC) has confirmed it won’t hold organisations accountable for the exposure of personal information when accessed via a cyber attack, as long as the Office is satisfied with the level of security in place within the targeted systems. New privacy rules strengthening the enforcement power of the OAIC come into effect in 12 March 2014. In final guidelines to the way these laws are likely to be enforced, the OAIC made a distinction between what it will treat as a ‘disclosure’ of personal information – which could incur penalties of up to $1.7 million under the new regime – and ‘unauthorised access’. “An APP entity is not taken to have disclosed personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information,” the guidance noted. Incidents falling into this category would include “a cyber attack” or “theft, including where the third party then makes that personal information available to others outside the entity,” the guidelines explain. [Source]

Privacy (US)

US – DoJ Asks FISC for Increase in Retention Limits

The Department of Justice has asked the Foreign Intelligence Surveillance Court for a term limit extension for how long it can retain telephone metadata beyond the current five years, citing civil suits regarding the data. In a filing made public on Wednesday, the DoJ wrote, “A party may be exposed to a range of sanctions not only for violating a preservation order, but also for failing to produce relevant evidence when ordered to do so because it destroyed information that it had a duty to preserve.” The ACLU, Sen. Rand Paul (R-KY) and the First Unitarian Church of Los Angeles have filed civil suits challenging the phone metadata collection program. [IDG News Service ]

US – AG Holder Calls for National Breach Law

Attorney General Eric Holder has called on Congress to enact federal data breach protection legislation. “A strong, national standard for quickly alerting consumers whose information may be compromised … would empower the American people to protect themselves if they are at risk of identity theft,” he said. “It would enable law enforcement to better investigate these crimes—and hold compromised entities accountable when they fail to keep sensitive information safe.” In response to claims this would overwhelm law enforcement, Holder said legislation should have exceptions for small breaches. Meanwhile, Bloomberg is reporting the hackers who compromised Neiman Marcus are almost definitely separate from those who attacked Target, and the number of cards affected is fewer than initially reported: a maximum of 350,000. [CNN]

US – FTC’s Brill Pushes for Data Privacy Laws

Federal Trade Commissioner Julie Brill has called on Congress to pass three privacy laws, including transparency requirements for data brokers. Consumers should have the right to view and correct information compiled about them, she said. “I believe we should be concerned about the damage that is done to our sense of privacy and autonomy in a society in which information about some of the most sensitive aspects of our lives is available for analysts to examine without our knowledge or consent and for anyone to buy if they are willing to pay the going price,” Brill said, adding, “I think it is increasingly clear that the United States needs data security legislation.” [The Hill]

US – Judges: Users Have Right to Text Message Privacy

The Washington State Supreme Court has ruled citizens have the right to privacy in the text messages sent from their mobile devices. In two 5-4 decisions, justices overturned drug convictions that hinged on law enforcement access to text messages without warrants. Justice Steven Gonzalez wrote in one of the cases, “Text messages can encompass the same intimate subjects as phone calls, sealed letters and other traditional forms of communication that have historically been strongly protected under Washington law.” The Electronic Frontier Foundation’s Hanni Fakhoury said, “People have a right to have those messages delivered without fear of government intrusion or interception, and if the government wants to intrude of intercept them, they have to get a warrant or wiretap to do so.” [Associated Press]

Privacy Enhancing Technologies (PETs)

WW – Making Online Privacy More User-Friendly

With increased awareness about online privacy issues, both from the public and private sectors, a host of online privacy tools exist, but for the most part can be difficult to use. a group of experts attempting to make online privacy tools more user-friendly. Groups have been attempting to “redecentralize” the Internet, but, the report states, the open-source scene is often made up of users more concerned with function over the user experience. Eleanor Saitta, of the Open Internet Tools Project , said, “There are still a lot of people in the (developer) community who are, ‘If I can use this tool, why can’t everyone?’ A lot of people aren’t willing to acknowledge that if ordinary users can’t use it, they won’t.” [GiGaOm] See also: [The dirty little secret of secret-sharing apps]

WW – Mozilla Rolling Out New Privacy Features

In a partnership with Deutsche Telekom, Mozilla said it plans to release new privacy and security features for its Firefox operating system. The focus of its Future of Mobile Privacy project is emerging markets. Mozilla has found the most prevalent concerns include lost/stolen mobile devices and the privacy of sharing personal information among friends and family. Mozilla Global Privacy and Public Policy Leader Alex Fowler said Mozilla will “be calling on the privacy and security community to start dreaming up what they think are exciting features and services, and we want to prototype and make those part of future releases as well.” [ComputerWeekly]

WW – Surveys Offer Insights Into Consumer Perspectives

Two recent studies offer insights to consumer perspectives on the use of their personal information (PI). A survey from content management and analytics firm SDL indicates “nearly two-thirds of consumers in the U.S. and around the world are worried about how marketers are using their personal information.” However, about 80 percent are willing to provide PI “to a trusted brand as long as brands are transparent about how they collect and use their information and as long as they get something in return.” A Fortinet study of Gen-Xers and Millenials, meanwhile, found differences in “philosophy about security and privacy” from one generation to the next. [AdWeek]

WW – If Gov’t Won’t Protect Privacy, Innovation Will

Mike Janke spent 14 years as a Navy Seal. He’s been around the block, so to speak. And the U.S. government’s decision to circumvent the controls in place to protect innocent citizens’ communications en masse has him scared right now. Janke, now CEO of Silent Circle, was talking about the “Summer of Snowden” revelations during a session at RSA 2014 entitled “Mission Impossible? Building and Defending Zero-Knowledge Privacy Services.” The Privacy Advisor reports on Ethan Oberman of cloud-based synchronization and sharing service SpiderOak, Nicko van Someren, CTO of Good Technology, and Janke’s discussion of the new premium on “zero-knowledge” technology models that allow users to maintain complete control of their data access and new technological solutions for privacy. [Full Story]

WW – Digital Assistant to Offer Privacy Controls

Microsoft plans to release a personal digital assistant, Cortana, in its new Windows Phone, complete with granular privacy controls for users, The Verge reports. Users will reportedly be able to control what data is shared with Cortana, including location data, behaviors, personal information, reminders and contact information. According to the report, Cortana will only store such data to Notebook if it’s granted permission by the user to do so, and any stored data can be edited or deleted. [The Verge]

WW – New Program Manages Privacy Settings

My Face Privacy is a new product from Israeli software firm CallingID, designed to manage the privacy settings of multiple social networking sites—including Facebook, Twitter, Google+ and LinkedIn. The desktop-only application works like a password manager and offers four preset privacy settings. “Social networks are trying to make as much information visible to as many groups as they can,” said CallingID Executive Vice President Yair Nissan. “They have a default set of privacy policies, which is not restrictive at all. They complicated the way that you can change and manage your privacy settings—you have to go through many screens, and unless you’re an expert, you probably won’t find all the different parameters because they’re hiding them very well.” [GigaOM]


US – Survey: 48 %of IT Professionals Say NSA Overreached

The intersection of privacy and security is a “minefield of complex issues that need to be navigated by tech vendors, users and governments.” That was what Sean Michael Kerner took away from the RSA Conference last week, where the National Security Agency (NSA) was one of the many exhibitors to have an expo hall booth. A survey of IT professionals at RSA found that 48 percent said the NSA had overreached in its programs, while 52 percent said it did not. At one conference session, FBI Director James Comey appealed to IT professionals for ideas on how to balance the need for surveillance with privacy concerns..[eWeek ] [US: Feds Refuse to Release Public Comments on NSA Reform — Citing Privacy] and [Spy Chief: We Should’ve Told You We Track Your Calls]

WW – SSL Bug Found in Apple Operating Systems

Security researchers and experts discovered a coding flaw late last week in the operating systems that run Apple’s mobile devices and computers that could allow hackers to circumvent encrypted connections. A single line in the software omitted commands to authenticate an encrypted website’s certificate, meaning hackers could impersonate sites and capture all the electronic data being communicated by users. Cryptography expert Matthew Green said, “It’s as bad as you could imagine; that’s all I can say.” Apple has offered a software update for mobile devices and said it would release a patch for Mac computers “very soon.” The bug has allegedly been present for months, and some have questioned whether it was a spy’s attempt to create a “back door” into the devices. [Reuters] [Apple promises to fix OS X encryption flaw ‘very soon’] See also: [iOS security hole reportedly exposes your screen input]

WW – Data-Centric Security: Reducing Risk at the Endpoints

In this time of increased attacks on IT networks, the king’s men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and reevaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization. Jim Wyne looks at data-centric security as a method to mitigate risk and “ensure the most important asset of the business, the data, is protected.” [The Privacy Advisor]


US – Obama, NSA Take Heat for Crying “Privacy”

The Obama administration’s refusal to release the 28 proposals it has received from various corporations on managing the NSA’s database of phone metadata. In response to Wired’s questions, the Office of the Director of National Intelligence (ODNI) replied, “Upon review, ODNI has determined the material should be withheld in its entirety in accordance with FOIA exemptions … Exemption (b)(6) applies to information, which, if released, would constitute a clearly unwarranted invasion of personal privacy of individuals.” This led Venture Beat to comment, “So despite the questionable practice of collecting an individual’s private data without a warrant, the government has no problem keeping efforts to reform the NSA’s program under wraps because it would violate a corporation’s right to privacy.” [Wired] [NSA Wants to Expand Phone Database—Because of Privacy Suits] See also: [80 percent of Australians oppose warrantless e-surveillance]

UK – Agencies Spied on Millions Using Webcam Interception

Optic Nerve is a program created by UK intelligence agency GCHQ in conjunction with the U.S. National Security Agency to intercept and store webcam images of millions of Internet users, many of whom were not suspected of wrongdoing. According to files leaked by Edward Snowden, the program collected images from Yahoo webcam chats in bulk and stored them in agency databases. In one six-month period, the GCHQ collected images from more than 1.8 million user accounts. Yahoo said it was unaware of the activity. “This report, if true, represents a whole new level of violation of users’ privacy that is completely unacceptable, and we strongly call on the world’s governments to reform surveillance law,” the company said. [The Guardian] SEE ALSO: [Snowden Documents Reveal Covert Surveillance and Pressure Tactics Aimed at WikiLeaks and Its Supporters]

WW – Reaching the Intended Viewer Made Easier with “Addressable TV”

Political campaigns will have the ability to target specific individuals. Addressable TV is a new technology that enables advertisers to pay broadcasters to pinpoint specific homes, the report states. “This is the power of a 30-second television commercial with the precision of a piece of direct mail targeted to the individual household level,” said Paul Guyardo, chief revenue officer at DirecTV. “Never before have advertisers had that level of precision when it came to a 30-second commercial.” Advertisers are looking at such data as voting histories, demographics and credit scores to find the viewers they aim to reach, the report states. [The Associated Press]

US – Newark Airport Surveillance System Poses Potential for Misuse

The recently installed 171 LED light fixtures at Newark Airport’s Terminal B are part of a new wireless network of sensors and video cameras that collect and feed data into software capable of recognizing license-plate numbers, identifying suspicious activity and sending alerts to staff. While officials with the Port Authority of New York and New Jersey plan to expand the project to other terminals and buildings, privacy advocates say the technology risks invading privacy. Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University, called the potential for misuse “terrifying,” the report states. [The New York Times]

Telecom / TV

WW – Telecoms Press on With Biz Plans Despite Privacy Awareness

Although the Snowden revelations brought privacy into the forefront of mainstream conversation, many telecoms will continue with business plans aimed at capitalizing on the vast data stores their customers create. “Privacy is a hot-button issue right now, but we think we can take a leadership stance,” said Verizon’s Colson Hillier. “It’s not a reputational risk if you do it right and are proactive in communication with consumers and policy-makers.” However, some competitors are taking the opposite tack. The trend toward the monetization of Big Data led The New York Times to editorialize that a Big Data study commissioned by U.S. President Barack Obama needs to produce “not only a thorough description of how businesses are collecting private data but also specific legislative proposals to give consumers more control of that information.” [Reuters]

US – “Revenge Porn” Victim Awarded $500K in Civil Case

A jury in Texas has awarded a woman $500,000 in a “revenge porn” case. An ex-boyfriend blackmailed her and eventually published the material on the Internet. Though there is no specific law against it in Texas , two state lawmakers are working on legislation that would make revenge porn illegal. Critics, however, warn such a law could violate the First Amendment. One legal analyst said, “If you allow the state or federal government to restrict your speech in one instance, it could expand and get more restrictive over other matters and nobody wants that.” New Jersey and California have both outlawed revenge porn and other states are considering a similar move. [KTRK-TV]

US Government Programs

US – ABA Asks NSA for Clarification on Attorney-Client Privilege

After a report by The New York Times describing the alleged surveillance of a U.S. law firm and its clients by the National Security Agency (NSA) and its Australian counterpart, the president of the American Bar Association (ABA) has sent a letter to the NSA expressing concerns about the privacy of attorney-client privilege. ABA President James Silkenat has also asked for clarification on the NSA’s policies and practices concerning intercepted confidential data. “The attorney-client privilege is a bedrock legal principle of our free society and is important in both the civil and criminal contexts,” he wrote, adding, “It enables both individual and organizational clients to communicate with their lawyers in confidence, which is essential to preserving all clients’ fundamental rights to effective counsel.” [Full Story] See also: [AU: Immigration Department data lapse reveals asylum seekers’ personal details]

US – Leaked NSA Document Indicates Client-Lawyer Confidentiality Compromised

Amidst a chorus of concerns by American lawyers with clients overseas that their confidential communications could be compromised by state surveillance, it appears at least one law firm has already been affected. A top-secret document obtained by Edward Snowden indicating a U.S. law firm’s communications with Indonesian officials over trade talks had been accessed. Meanwhile, the Privacy and Civil Liberties Oversight Board is turning its attention to another NSA program allowing the agency to monitor Internet traffic belonging to foreign intelligence targets, and the National Institute of Standards and Technology has released its Framework for Improving Critical Infrastructure Cybersecurity. [The New York Times]

US – Is PI Used for Online Educational Services Protected?

The Department of Education (DoE) has weighed in with an answer to the question of whether personal information (PI) collected in the $8 billion preK-to-12th-grade education software industry is “federally protected from being shared or sold by technology vendors.” The answer? “It depends.” New DoE guidance includes that “careful wording,” the report states, in detailing “requirements and recommended practices for school management of online education services that directly involve students or their parents.” Meanwhile, Forbes reports on The Student Privacy Zone Summit in Washington, DC, aimed at ensuring student information “is restricted to educational use only.” [The New York Times]

US – TSA Pre-check Gives Rise to Privacy Concerns

Privacy concerns are coming out of the Transportation Security Administration’s (TSA) Pre-check expedited screening program. TSA Administrator John Pistole aims to move half of air travelers through expedited screening by the end of 2014. As the program expands, however, privacy experts warn against giving up more personal information in exchange for quicker travelling. “Either the assessments will be based on a laughable amount of information about people and will only be providing an illusion of security, or they will be so intrusive that the government will basically be doing background checks on everyone who flies,” said the American Civil Liberties Union’s Jay Stanley. [USA Today]

US Legislation

US – Illinois Senate Committee Passes Revenge Porn Bill

An Illinois Senate committee has unanimously passed a bill that would make it a felony to post sexual material of others on the Internet without consent and to use that material for blackmail purposes. The American Civil Liberties Union of Illinois is concerned the measure is too broad and may restrict free speech. [The Associated Press]

US – Indiana Senate Committee Passes Digital Privacy Bill

An Indiana Senate Committee has unanimously passed HB 1009, which would limit law enforcement’s use of drones, GPS tracking and cellphone searches as well as set new rules for citizens’ use of surveillance technologies, [The Statehouse File]

US – Kansas Student Privacy Bill Gains School Board Assoc. Support

The Topeka Capital-Journal reports that the Kansas Association of School Boards has put its support behind a bill that would restrict the sharing of student data and collection of biometrics, codifying the Department of Education’s practices. SB 367 would prevent data sharing with other state agencies in the absence of data-sharing agreements, which causes concern for the state’s epidemiologist, who says it could have unintended consequences for public health.

US – Colorado Bill Aims To Protect SSNs

Colorado’s HB 14-1141 is headed to the house after being passed by the State, Veterans and Military Affairs Committee. The bill, sponsored by Rep. Don Coram (R- District 58), would prohibit state and local government entities from requiring unpaid board members to disclose their Social Security numbers. [The Watch]

US –California Bill Would Restrict Use, Collection of Student Data

California Sen. Darrell Steinberg (D-Sacramento) will today introduce a bill aimed at protecting student data. “The bill would prohibit education-related websites, online services and mobile apps for K-12 graders from compiling, using or sharing the personal information of those students in California for any reason other than what the school intended or for product maintenance,” the report states. A growing chorus of lawmakers believes laws on student data have been unable to keep pace with technological innovations. Steinberg said he doesn’t want to limit legitimate use of student data but believes the data should be used for “educational benefit and nothing else.” [The New York Times]

US – Florida Sen. Proposes Limits on Prescription Drug Database Access

Florida Sen. Aaron Bean (R-Fernandina Beach) has proposed SB 862, which would require law enforcement to get a court order to access information in the state’s prescription drug database. Police say the database has helped curb prescription drug abuse, and a judge recently dismissed a case challenging investigators’ access to the data, but others in the state say citizens need more privacy protections. Bean says there needs to be a balance between privacy and law enforcement, adding, “The government already monitors our phone calls; they read our e-mail. Does the government have to be in our medicine cabinets, too? I don’t think they do.” [The Daytona Beach News-Journal]

US – Illinois House Committee Endorses Student Privacy Bill

HB 4558, which would require that public preK-12 schools get written parental consent prior to sharing student data with outside individuals or entities, heads back to the house for consideration after gaining the support of the Elementary & Secondary Education Committee. The bill’s sponsor, Rep. Scott Drury (D-Highwood), points to education data nonprofit inBloom as an example of the need for the law. “Illinois is allowing your student’s data to go to a hub that’s called inBloom, along with two other states that are allowing it,” Drury said, adding, “From inBloom, third-party vendors can buy that data and target your kid by Social Security number or by name.” InBloom has released a statement saying it “will never sell student or customer data.” [The Herald-Review]

US – Illinois Senate Considering Cellphone Tracking Limits

The Illinois Senate is now considering legislation to require authorities to obtain a search warrant prior to using cellphone geolocation technology to track individuals in most circumstances. Sen. Daniel Biss (D-Evanston) says his bill aims to protect privacy, noting, “If you envision a world where there’s no gates around what can be done with our information that comes from a cellphone … that’s a picture of a world that nobody wants to live in.” This is Bliss’s second attempt, and with the new iteration, he has gained the support of Deputy Chief of Narcotics for the Cook County State’s Attorney Office Patrick Coughlin, who testified against his first bill. “Our biggest objection was that we needed to have probable cause for any location information, including historical information—where someone was a week ago,” which Coughlin said could hamper investigations. [The Chicago Sun-Times]

US – New Mexico House Passes Breach Notification Bill

The New Mexico House has passed an amended version of HB 224, which would require companies to notify customers of a data breach within 45 days of discovery—as opposed to the 10 days originally proposed. The bill also includes requirements for notifying the state attorney general and consumer reporting agencies within 14 days and has a risk-of-harm threshold for notifications as well as payment card breach provisions. [Bloomberg BNA.]

US – Texas Court Expands Privacy Rights

The Texas Court of Criminal Appeals has expanded cellphone privacy rights in its ruling that police improperly searched a Huntsville student’s cellphone without a warrant. The phone was being held in a jail property room, and while prosecutors claimed officials have a right to search inmates’ items with probable cause, the court said in its decision, “A cellphone is unlike other containers as it can receive, store and transmit an almost unlimited amount of private information,” adding, “The potential for invasion of privacy, identity theft or, at a minimum, public embarrassment, is enormous.” The one dissenter in the nine-judge panel wrote in his opinion that because the defendant failed to prove an expectation of privacy because he was not in possession of the phone and knew it was in the hands of the police. “The fact that cellphones potentially contain vast amounts of private data, by itself, does not automatically result in a finding of a reasonable expectation of privacy in every case,” he said. [American-Statesman]

US – Supreme Court Rules Warrant Needed for Cell Location Data 

The Massachusetts Supreme Judicial Court has ruled that police must obtain a warrant prior to collecting cellphone location data. The court ruled 5-2 against prosecutors, deciding that obtaining cell-site location information over a two-week period “without a warrant based on probable cause was an invasion of privacy and a violation of the state Declaration of Rights.” The decision “says that people can have a constitutionally protected privacy interest in information about them even if that information is in the hands of a third-party service provider like their cellphone company,” said Matthew Segal, legal director for the American Civil Liberties Union of Massachusetts. [The Associated Press.]

US – New Jersey Assembly Committee Passes Reader Privacy Act

The New Jersey Assembly Consumer Affairs Committee has unanimously recommended passage of the Reader Privacy Act. The law would require police to obtain a judge’s approval before collecting information about a person’s book and e-book purchase history and prevent sellers from sharing the information with third parties. If passed, the state would become the third in the nation to have such a law. [The New Jersey Law Journal.]

US – Rhode Island Considers Social Media Privacy Bill

The Rhode Island Legislature is considering a bill that would prohibit employers and schools from penalizing employees or students for refusing to hand over social media information or compelling them to do so. Senate Majority Leader Dominick Ruggerio (D-Providence and North Providence) and Rep. Brian Patrick Kennedy (D-Hopkinton and Westerly) proposed the legislation, with Ruggerio noting, “The term ‘social media’ does not mean everything associated with a person’s online presence is automatically public, and it is not a license for an employer or school to pry into private material,” according to a press release. [The Brown Daily Herald]

US – Wisconsin Senate Passes Drone Bill

The Wisconsin Senate passed a bill that would limit police and others’ use of drones, including barring drones with cameras and weapons. Under the bill, police would need a warrant to use data collected by drones unless in public, and the bill would ban private individuals from using drones to record others where they would have a reasonable expectation of privacy. While civil rights advocates say drones pose a threat to privacy, drone industry groups are concerned that drone privacy bills will hamper the benefits of drones. [The Milwaukee-Wisconsin Journal Sentinel] See also: [US: Assembly passes bill to protect confidentiality of student records]

US – Wyoming Student Privacy Bill Heads to House Floor

The Wyoming House Judiciary Committee passed a bill requiring parental consent before collecting children’s personal and education data, but first it amended the bill to state that only data collected by the state Department of Education would require the consent. HB 179 passed with a 7-2 vote. Rep. Lynn Hutchings (R-Cheyenne) said the bill would allow parents “to be able to see exactly what’s going on, what the education system is asking for and truly get involved by saying each year, ‘Yes, I agree that you can collect this data or not.'” The bill will now go to debate on the House floor. [The Associated Press]

Workplace Privacy

CA – Union’s Right to Employees’ Home Contact Information from Employer Trumps Privacy Concerns

Elizabeth Bernard is an employee of the Canada Revenue Agency. She objected to the disclosure of her home contact details by her employer as requested by the union. Ms. Bernard took the position that disclosure of her home contact details breached her privacy rights and her Charter right not to associate with the union (she is not a member of the union, but is represented by the union in the collective bargaining context). The Public Service Labour Relations Board concluded that only being able to contact employees through their workplace did not allow the union to represent employees effectively. It also found that the disclosure of home contact details was consistent with the purpose for which the information had been obtained under section 8(2)(a) of the Privacy Act, which is one of the exceptions to the ban of disclosure of government held information. The Board declined jurisdiction to consider the Charter arguments. On judicial review, the Federal Court of Appeal upheld the Board’s conclusions. The matter was then appealed to the Supreme Court of Canada, which handed down its decision on February 7, 2014. [Mondaq News] [Monitoring device goes beyond checking work productivity]

US – D.C. Council Weighs ‘Banning The Box’ Asking For Criminal History

SOME 60,000 D.C. residents, about 10?percent of the population, have a criminal history. Many of them are unemployed, and standing between them and any shot at a job is one little box. “Have you ever been convicted of a crime?” is a question that often appears on employment forms. Check yes and you are likely to be automatically disqualified, with no opportunity to say when or what the offense was, explain any extenuating circumstances or put the criminal history in perspective. Legislation that would “ban the box” is pending before the D.C. Council and deserves thoughtful consideration. The “Fair Criminal Record Screening Act of 2014,” sponsored by D.C. Council member Tommy Wells (D-Ward 6) is part of a growing national movement that seeks to prevent employers from asking about criminal records during the initial stage of hiring for a job. [Source] SEE ALSO[US: Lawmakers’ report: FDA monitoring of staff e-mails may have violated whistleblowing law]


Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: