Monthly Archives: February 2019

01-14 February 2019

Biometrics

US – SF lawmaker Seeks Ban on Use of Facial Recognition by Cops

San Francisco could become the first city in America to outright ban the use of facial recognition technology by its police department or any other city agency if a new municipal ordinance proposed by Supervisor Aaron Peskin called “Stop Secret Surveillance Ordinance“ – see Fact Sheet] passes in the coming months. The city would also impose a new pre-emptive “Surveillance Technology Policy” for city agencies that want to acquire any new gear that could impact privacy. Such a requirement would put San Francisco in line with its neighboring cities of Oakland and Berkeley. The bill states unequivocally that the risks involved in using the technology “substantially outweigh its purported benefits, and the technology will exacerbate racial injustice and threaten our ability to live free of continuous government monitoring.” But the legislative aide also said that the board of supervisors still does not have a full inventory of what surveillance technology both agencies have. Facial recognition historically has resulted in more false positives for African-Americans. As Ars has reported before: if the training data is heavily skewed toward white men, the resulting recognizer may be great at identifying other white men but useless at recognizing anyone outside that particular demographic. Last May, the Congressional Black Caucus wrote to Amazon CEO Jeff Bezos expressing concern over the “profound negative consequences” of the use of such technology. Nevertheless, law enforcement at airports in particular have recently expanded their use of the technology. The SFPD would not give its opinion on the bill. The bill is set to go to the Board’s Rules Committee in 30 days and could be in front of the entire Board within months. It requires six votes to pass—but would be vetoed by the mayor. Eight votes (of the 11 total supervisors) would constitute a veto-proof majority. Ars Technica

WW – WhatsApp Update Adds Biometric Authentication Option

A recent update to WhatsApp allows users to lock the app with biometric tools. WhatsApp version 2.19.20 on iPhones lets users lock the app with Face ID or Touch ID. A caveat: if users have set their notifications to allow message previews, those will still be visible and can be replied to without opening the app. Calls to WhatsApp can also be answered without unlocking the app. A version of WhatsApp with a biometric protection feature for Android is reportedly in beta testing.

  • cyberscoop.com: WhatsApp adds biometric feature to help protect messages
  • theverge.com: WhatsApp can now be locked using Face ID or Touch ID

Canada

CA – Extend Freedom of Information Law to B.C. Legislature, Say Watchdogs

B.C.’s Information and Privacy Commissioner Michael McEvoy, Merit Commissioner Fiona Spencer and Ombudsperson Jay Chalk have recommended changes to require public disclosure of B.C. legislature expenses, in the wake of the suspension of the top two managers for financial irregularities. On Tuesday NDP house leader Mike Farnworth said the B.C. legislature will open up its secret operations. However Farnworth said the legislative changes may have to wait for the fall session to present to MLAs for a vote. In a February 4 letter addressed to Darryl Plecas Speaker of the B.C. Legislative Assembly – see Press Release] McEvoy, Spencer and Chalk write: “We wish to emphasize that we are making these suggestions regardless of the resolution of the status of the suspended permanent officers” [on reference to suspended officers see here] Their recommended changes are for the “corporate Legislative Assembly,” historically controlled only by the Speaker, the letter adds. Recommendations include extending the Freedom of Information and Protection of Privacy Act to the legislature, which has a $70 million budget to run MLA constituency offices and the parliament buildings, including everything from a restaurant to security to the chamber itself. Surrey Now – Leader

CA – N.L. looking for New Privacy Watchdog as Donovan Molloy Takes Judge Job

The search is on for a new information and privacy commissioner in Newfoundland and Labrador after Donovan Molloy takes the bench in the Northwest Territories [see coverage here]. Molloy, who was named commissioner in 2016, will become a territorial judge on Feb. 20 Over the years, Molloy rebuked the justice department for its handling of an access to information request and scolded the province for breaking its own information laws. Molloy has also reviewed high-profile privacy concerns, including the town of Paradise’s use of security cameras as well as the widespread sharing of videos appearing to show shoplifters. Perry Trimper, N.L.’s house speaker, is responsible for convening the committee that will find Molloy’s replacement — something he said will not be easy. He said the committee will first find an acting commissioner. He wouldn’t say how long it might take to find a permanent hire. “We will be starting immediately to put someone in there. So we’ve got some ideas but I’ll let the process unfold,” he said. CBC News

CA – SK Minister of Justice Hopes to Clear the Way for Police to Name Homicide Victims

Justice Minister Don Morgan says bringing Saskatchewan police services under freedom of information regulations had unintended consequences, when police services decided the new regulations meant they should not release victims’ names after a homicide. On Jan. 22, the province made an amendment to The Local Authority Freedom of Information and Protection of Privacy Amendment Regulations. The amendment, recommended by Morgan, explicitly states that police services are permitted to “disclose to the public the name of a deceased person whose death is being investigated as a homicide.” Morgan said some police services interpreted the wording of the [unamended regulations] to mean that the deceased in a homicide investigation had the right to privacy until a charge was laid. As a result, the Regina Police Service decided to stop naming some homicide victims in its public releases. The amendment also applies to Investigative Services and Security Intelligence Units within the Ministry of Corrections and Policing. Despite the amendment, Saskatoon Police Service spokesperson Julie Clark said SPS will not change its conduct around the naming of homicide victims. “We are continuing our practice of not naming homicide victims, unless requested otherwise by the family of the deceased,” said Clark. The Regina Police Service did not comment by publication time In the past, the RPS has opted to act in line with recommendations from the information and privacy commissioner and will not [automatically] release a homicide victim’s name Morgan said the privacy commissioner has taken the position that a deceased person still has rights to privacy. However, he takes a different view and hopes the amendment will allow the old practice of naming homicide victims by default to come back into common practice in Saskatchewan. Source: CBC News

SEE ALSO:

Consumer

WW – Report Predicts Companies Will Give Users More Privacy and Control of Data

In its “Technology Vision 2019” report, Accenture predicts organizations will give consumers more privacy and control over their data. Accenture’s annual report covers the trends it believes will impact businesses over the upcoming three years. The report states in order for companies to build trust with consumers, they need to place an emphasis on transparency and the ability to manage their own information. “Companies are amassing tremendous amounts of information about consumers,” Accenture Chief Technology and Innovation Officer Paul Daugherty said. “The key thing for companies to think about is just because you can do something doesn’t mean you should do something.” [Fortune | Accenture]

E-Government

CA – Ontario Launches Consultations on Data Collection to Create Provincial Strategy

The Government of Ontario has launched data strategy consultations to gather information to create a provincial strategy to address concerns around personal data collection, privacy and security. Progressive Conservative MPP Bill Walker, who is also the Ontario Minister of Government and Consumer Services, said that the government is “seeking to get a better understanding” of how the government is able to drive innovation by protecting data at the same time. He said that through the consultation process the government will look at whether current laws and policies “provide sufficient protection in an age of widespread data collection, sharing and use.” He noted that some practices of data collection these days are shaping a lot of key decisions regarding health, finances and education. The public can participate in the consultation through an online survey until March 7th. Walker said that the consultations will focus on three topics: promoting public trust and confidence, creating economic benefits, and enabling a better, smarter, efficient government. He elaborated the government intends on “introducing world-leading, best-in-class privacy protections” and helping Ontario firms develop a business that is data-driven and able to “seize the commercial value of data.” The idea behind the consultations is so that the government can create a Task Force on Data; the task force will later create a draft Data Strategy document based on responses from the consultation. Walker expanded that the government will also seek further public consultations on the strategy before finalizing it. He did not say when the report will be final and did not say when consultations will end but said that they will continue throughout 2019. He also noted that no decision has been made on “the composition of the task force.” Mobile Syrup | Ontario launches consultations on data collection to create provincial strategy

CA – British Columbia Political Parties Illegally Gather Voters’ Data: OIPC BC

Information and Privacy Commissioner for British Columbia Michael McEvoy said political parties have illicitly gathered the personal information of citizens within the province. While political parties can conduct efforts to learn about voters, McEvoy said many attempts to do so happen without consent, a violation of provincial law. The commissioner cited canvassers who record symbols to hint at voters’ religious preferences or ethnicities. McEvoy said political parties have sent email addresses to Facebook in order for the social media company to find demographic patterns. “Essentially, they have to have the consent of people they’re collecting information from,” McEvoy said. “You need to ask permission. That’s the basis of the law.” [StarMetro]

E-Mail

US – FTC Completes Review of CAN-SPAM Rule

The Federal Trade Commission announced that it has completed its first review of the CAN-SPAM Rule [see here & text here — & wiki here], which establishes requirements for commercial e-mail messages and gives recipients the right to opt out of receiving them. The Commission voted to keep the Rule with no changes. The Rule requires that a commercial e-mail contain accurate header and subject lines, identify itself as an advertisement, include a valid physical address, and offer recipients a way to opt out of future messages. As part of its regular, systematic review of all its rules and guides, the FTC in June 2017 sought public comment on the Rule, including whether it is still needed, the costs and benefits of the Rule, and whether changes needed to be made to the Rule in response to technological and economic developments. The FTC also sought comment on three specific issues related to the CAN-SPAM Rule, including whether the Commission should change the categories of messages treated as “transaction or relationship messages,” shorten the time period for processing opt-out requests, or specify additional activities or practices that might be considered as aggravated violations. The FTC received 92 comments, which overwhelmingly favored keeping the Rule. After reviewing the comments, the Commission concluded that the Rule does benefit consumers and does not impose substantial economic burdens, and that no changes to the Rule were needed at this time. The Commission voted 5-0 to approve publication of the confirmation of the Rule [see 24 pg PDF here] in the Federal Register. Source: FTC News & Events (US Federal Trade Commission)

Electronic Records

WW – Increased Digitization Turning Privacy Pros into Strategic Advisors

As digitization continues to influence organizations’ business models, there has been a growing need for privacy professionals to become strategic advisors. Gartner Director and Team Manager Stephanie Quaranta said privacy pros have seen their roles expand to cover the management of risk and help senior leaders understand the value of information. “Information is becoming the most valuable asset organizations hold, but that value can be trapped if organizations don’t understand how they should use that information,” Quaranta said. “Privacy executives can help navigate not only the regulatory environment, but increasingly, also questions about customer, board and other external expectations.” Gartner also offers advice on ways privacy pros can manage consumers’ privacy appetite, such as the creation of consumer-facing policies and stronger data rules with third parties. [Gartner]

EU Developments

EU – Key Takeaways from the Privacy Shield Annual Review

In January, the EU European Data Protection Board issued its report 29 pg report on the second annual review of the EU-US Privacy Shield. It provides some valuable compliance reminders for organizations that have certified or intend to certify to the Privacy Shield program. The report, which mainly focuses on the EU regulators’ ongoing concerns about the US government’s access to personal data and their desire to see more substantive certification reviews by the US government, details oversight efforts currently being undertaken by the Department of Commerce (Commerce) and the Federal Trade Commission (FTC). Both Commerce and the FTC have significantly increased their oversight and enforcement of the Privacy Shield program. The report provides a useful roadmap for organizations to avoid getting caught in the US government’s enforcement crosshairs. This alert highlights some of the key findings of the Report with respect to: 1) the commercial functioning of the Privacy Shield; 2) reviews the US government’s current Privacy Shield compliance oversight initiatives; and 3) provides a list of compliance tips for Privacy Shield-certified organizations. Source: Client Alert (Morrison & Foerster)

EU – Update on Status of the Draft e-Privacy Regulation

It looks unlikely that the draft e-Privacy Regulation will come into effect before 2021. European Council negotiations on the text of the draft Regulation are currently ongoing, and trilogue discussions by the Council, Parliament and Commission will then take place. However, the upcoming May 2019 European elections may lead to a delay in the Council adopting a common position and the trilogue discussions commencing.  The latest draft text of the Regulation was published by the European Council October 19, 2018 and will apply 24 months from the date it is adopted, with the result that even if it is adopted imminently, it may not come into effect until 2021. Late last year, various industry associations raised concerns about the draft Regulation in a joint letter urging the EU institutions not to rush negotiations, stating that many substantive issues which have been raised since the draft Regulation was first put forward have not yet been addressed and that the expanded scope of the draft Regulation would create a large overlap with the GDPR, effectively replacing large portions of the GDPR for a vast majority of data processing activities.  It called for closer consideration of the legal bases for both electronic communications data and terminal equipment data and alignment with those available under the GDPR. The Council of the EU has released a progress report on the draft Regulation, highlighting the main topics where further work is necessary. In particular, the Report notes that Article 10 (the provision on privacy settings) has raised a lot of concerns, including with regard to the burden for browsers and apps, the competition aspect, the impact on end-users, and the ability of this provision to address the issue of consent fatigue. The original aim of Article 10 was to address the issue of users being overloaded with pop-up windows requesting consent to the use of cookies. Source: Ireland IP & Technology Law Blog (A&L Goodbody)

EU – EDPB Issues Guidance on Clinical Trials Regulation and the GDPR

The European Data Protection Board (EDPB) recently adopted its opinion [see 9 pg PDF here] on the interplay between the Clinical Trials Regulation 536/2014 (CTR) [see here & 76 pg PDF here] and the General Data Protection Regulation 2016/679 (GDPR) [see here & wiki here]. The opinion was given at the request of the European Commission. The opinion distinguishes between the primary use of data including: 1) Processing for reliability and safety purposes; and 2) Processing for research activities and the secondary use of data in clinical trials which is the processing of data for scientific purposes, but outside the scope of the clinical trial protocol and requires a separate legal basis under the CTR. However, the EDPB suggests that the GDPR’s presumption of compatibility applies here and it is presumed that the secondary use is not incompatible with the original purpose (and thus, is within the scope of the protocol) if the data is processed for archiving purposes in the public interest, scientific research, historical research or statistical purposes, and there are appropriate safeguards. The EDPB’s opinion provides some clarity on the relationship between the CTR and the GDPR. Sponsors will particularly benefit from the guidance on legal bases. The interplay between secondary use under the CTR and the GDPR’s presumption of compatibility needs to be addressed further; the EDPB plans to issue guidance on this in the future. The CTR is expected to enter into force in 2020. Technology Law Dispatch (ReedSmith)

EU – German Regulators Prohibit Facebook from Merging User Data Without Consent

German regulators have forbidden Facebook from combining user data from its different platforms (such as Instagram and WhatsApp) without explicit user permission. The decision from Germany’s Bundeskartellamt also forbids Facebook from combining user data with information from third-party sources without user consent. Bundeskartellamt president Andreas Mundt notes that “an obligatory tick on the box to agree to the company’s terms of use is not an adequate basis for such intensive data processing. The only choice the user has is either to accept the comprehensive combination of data or to refrain from using the social network. In such a difficult situation the user’s choice cannot be referred to as voluntary consent.” Facebook disagrees with the regulator’s decision, writing in a blog post, “While we’ve cooperated with the Bundeskartellamt for nearly three years and will continue our discussions, we disagree with their conclusions and intend to appeal so that people in Germany continue to benefit fully from all our services.”

  • bundeskartellamt.de: Bundeskartellamt prohibits Facebook from combining user data from different sources
  • bundeskartellamt.de: Background information on the Bundeskartellamt’s Facebook proceeding
  • zdnet.com: Facebook broad data collection ruled illegal by German anti-trust office
  • scmagazine.com: Germany bans Facebook from combining user data without permission
  • bbc.com: Facebook ordered by Germany to gather and mix less data

EU – Bavarian DPA Conducts Website Cookie Practices Sweep, Announces Fines

The Data Protection Authority (DPA) of the German state of Bavaria announced it was considering fining a number of companies under the GDPR for their website cookie practices. It conducted a sweep of 40 large companies’ website cookie and user tracking practices. None of the 40 companies it audited had built GDPR-compliant cookie/tracking practices into their websites. While the identities of these companies have not been published the Bavarian DPA identified the industries in which the companies were active including: (a) Online retail; (b) Sports; (c) Banking & insurance; (d) Media; (e) Automotive & electronics; (f) Home and residential; and (g) Other and no company was identified as a technology or ‘tech’ company. The Bavarian DPA’s action potentially signals that cookies, user tracking, and online advertising are not a ‘tech industry issue,’ but instead a priority issue for companies irrespective of their industry the Bavarian DPA’s action is [evidence] that cookie compliance appears to be becoming a front-burner issue for EU privacy regulators – and an issue that can generate fines. Source: Privacy & Data Security Blog (Alston & Bird)

EU – Irish DPC Opened Seven Different Probes Against Facebook

Irish Data Protection Commissioner Helen Dixon announced Facebook faces seven different data-protection investigations by the DPC. Dixon said the inquiries are part of 16 cases the DPC has launched against tech companies, which include Twitter, Apple and LinkedIn. “We’re at various concrete stages in all of them, but they’re all substantially advanced,” said Dixon, who added final decisions in the investigations may not come until the summer. CNBC reports Facebook has seen an increase in users and strong earnings despite its privacy issues, and CNET reports Apple has reinstated Facebook’s enterprise certificates to run internal-tested iPhone apps. [Bloomberg]

UK – ICO Releases Discussion Paper on Regulatory Sandbox Beta Phase

On January 30, 2019, the UK Information Commissioner’s Office (“ICO”) released a discussion paper on the upcoming beta phase of its regulatory sandbox initiative [see blog post here]. The ICO had launched a call for views on creating a regulatory sandbox in September 2018, and the feedback received facilitated developing systems and processes necessary to launch the beta phase. According to the ICO, the purpose of the sandbox is to support the use of innovative products and services that are in the public interest, to assist in developing a shared understanding of what compliance in innovative areas looks like and to support the UK in being an innovative economy. [also see “what is a regulatory sandbox?” here] The Discussion Paper outlines the application process for entering the beta phase of the sandbox, how the ICO sees the sandbox working in practice and the types of support it will offer organizations in the sandbox. It also presents various questions on its proposed approach, to which it seeks feedback. The ICO has launched an intention to apply survey to allow organizations to express interest in applying and to provide information about any product or service they plan to enter into the beta phase [see here]. Full details of the beta phase will be made available by the end of March with formal applications opening towards the end of April. The beta phase is expected to run from July 2019 to September 2020. Source: ICO.org and Privacy & Information Security Law Blog (Huton Andrews Kurth)

EU – Dutch Ministry Concerns Prompts Microsoft to Update Office Pro Plus

After privacy concerns were raised by the Dutch justice ministry, Microsoft has agreed to update its Office Pro Plus products by the end of April. The ministry’s primary concern centered on the transfer of diagnostic data by the Microsoft products from Europe to the U.S. The Dutch ministry could raise the concern with European data protection authorities should Microsoft implement “unsatisfactory” changes, a ministry spokesman said. “The ministry commissioned the report in its capacity as a customer to clarify how our services are run and we’re working with the ministry’s staff to share additional information and help resolve its questions as we would for all enterprise customers,” Microsoft Corporate Vice President and Deputy General Counsel Julie Brill said. [Politico]

Facts & Stats

US – Report Finds 447M Records Breached in 2018

A 2018 End-of-Year Data Breach Report from the Identity Theft Resource Center found that hackers stole 447 million customer records involving sensitive data, representing a 126% increase from the previous year. Despite the increase, the report also found that the number of data breaches went down 23% but still concluded, “Data breaches are now a normal, everyday occurrence.” Meanwhile, one of the largest hospital networks in the U.S., Community Health Systems, reached a settlement with 4.5 million patients impacted by a 2014 malware attack that, if approved, could give those impacted up to $5,000 in losses. [NBC News]

EU – Businesses Reported 59K Data Breaches Since GDPR: Study

A study from DLA Piper found European businesses have reported 59,000 data breaches since the EU General Data Protection Regulation went into effect. The Netherlands reported the most breach notifications with 15,400, followed by the U.K. with 10,600. Lichtenstein had the fewest incidents with 15. DLA Piper Partner Ross McKean said the GDPR is “driving personal data breach out into the open.” The report found 91 fines have been administered since the GDPR became law. “We anticipate that regulators will treat [a] data breach more harshly by imposing higher fines given the more acute risk of harm to individuals,” DLA Piper Partner Sam Millar said. “We can expect more fines to follow over the coming year as the regulators clear the backlog of notifications.” [IT Pro Portal]

Finance

WW – Cryptocurrency Funds Frozen After Death of Founder

The founder of Canadian cryptocurrency exchange QuadrigaCX, and the only individual holding the passwords to the company’s “cold wallets” has died, leaving the company unable to access as much as US$190 million in cryptocurrency and fiat currency (legal tender). The company continued to operate for a month after the founder’s death using funds in its hot (live) wallet and in its fiat accounts. Canadian authorities have frozen the company’s assets.

  • zdnet.com: $145 million funds frozen after death of cryptocurrency exchange admin
  • com: Crypto Exchange Says It Can’t Repay $190 Million to Clients After Founder Dies With Only Password

FOI

CA – PEI Whistleblowers File Lawsuit Against Ex-Govt Officials Over Data Leaks

The three former Prince Edward Island government employees who had their information leaked to the press after they came forward with allegations of corruption have sued several former provincial officials. Former Premier Robert Ghiz has been named in the lawsuit, as well as former Innovation Minister Allan Campbell, former Deputy Minister of Economic Development Michael Mayne and former Liberal Party Spokesman Spencer Campbell. The plaintiffs allege in the lawsuit the defendants created a “strategy … to undermine the plaintiffs’ credibility by portraying them as liars, ‘crazy,’ or partisan towards the Prince Edward Island Conservative Party.” [Canadian Press]

CA – How to Avoid a Paper Trail: The Reliable — Sometimes Illegal — Tricks Used by Bureaucrats and Political Staff

The practice of leaving no paper trail is a well-known strategy among political staff and bureaucrats. The underlying idea of avoiding the creation of written records is deeply embedded in governments across Canada — and it has been exposed time and time again. Not all cases are illegal, but the practice violates the principle that governments are supposed to be accountable to the people who elect them. The issue has surfaced in the criminal trial of Vice Admiral Mark Norman, as his defence team wages battle to collect subpoenaed documents across seven government departments and agencies. Over the years, a few common themes have emerged over how government officials, bureaucrats and political staff avoid leaving a paper trail — or, when the trail does exist, attempt to block its disclosure. [This post reviews] a few of the best-known tactics: 1) Don’t write it down; 2) Code words and pseudonyms; 3) Sticky notes; 4) Delete, destroy or rename; 5) Use personal phones for government business; and 6) Claim the documents don’t exist — even when they do. Source: The London Free Press | See also: Several witnesses in Norman trial still haven’t searched personal records for evidence, court told | As Liberal insider takes the stand, Norman’s lawyers hint at more ‘code names’ | Trudeau asked about Scott Brison’s emails in the Mark Norman case | Scott Brison seeks standing at Mark Norman hearing, looking to protect his ‘privacy’ | Twin investigations launched into whether military blocked access to information in Mark Norman case | Code Name ‘Kraken’: How Mark Norman’s lawyers allege military used pseudonyms to hide records | In the Mark Norman case, the Crown doesn’t seem to be curious about the truth | Military never investigated leak of Mark Norman letter from HQ, says it wasn’t a breach of security

Genetics

US – At-Home DNA Testing Company Grants FBI Selected Access to Database

At-home DNA testing company Family Tree DNA is allowing the U.S. Federal Bureau of Investigation to search its genealogy database to help solve violent crimes. Though the FBI cannot freely browse the genetic profiles, the access “would help law enforcement agencies solve violent crimes faster than ever,” the company said. According to the report, Family Tree does not have a contract with the agency but “has agreed to test DNA samples and upload the profiles to its database on a case-by-case basis since last fall.” The company said customers can opt out of familial matching, which would prevent them from being searchable by the FBI. [Buzzfeed]

Health / Medical

US – ONC Releases Proposed Rule on Patient Data Access

The U.S. Office of the National Coordinator for Health Information Technology proposed a new rule on patient data access. The proposed rule would require health care organizations to give patients their data electronically for free in order to prevent any form of information blocking. The ONC rule also seeks to have health care adopt standardized application programming interfaces to help patients examine their records on their smartphones and mobile devices. Meanwhile, the U.S. Department of Health and Human Services announced it will require health care professionals and organizations to use digital health records by 2020. Healthcare IT News

WW – Microsoft Announces New Health Care Tools

Microsoft’s new suite of capabilities to its cloud network offerings and communication tools aimed at addressing the needs of the health care industry and access to medical records. Through partnerships with interoperability providers, Microsoft announced features of the Teams app, its priority notification feature for users, and an artificial intelligence–powered virtual assistant chatbot at the Healthcare Information and Management Systems Society conference. The company reported that Quest Diagnostics recently introduced a version of the health care chatbot in compliance with various privacy regulations, including the Health Insurance Portability and Accountability Act and the EU General Data Protection Regulation. [FierceBiotech]

US – OCR Reaches $3M Settlement to Conclude Record Year for HIPAA Actions

The U.S. Department of Health and Human Services’ Office for Civil Rights reached a settlement with Cottage Health for $3 million over violations of the Health Insurance Portability and Accountability Act. Cottage Health suffered two data breaches that impacted more than 62,500 individuals. The first incident involved a server left accessible on the internet, while the second involved a misconfigured server an IT team worked on in response to a troubleshooting ticket. The $3 million settlement added to an all-time record year for HIPAA enforcement activity for the OCR. The agency received $28.7 million from enforcement actions in 2018, up from the previous high of $23.5 million in 2016. [HHS]

US – Public-Private Partnership Guidelines for Protecting Patient Data

A public-private healthcare group partnership has published a four-volume guide to protecting patients and patients’ information in the digital age. The first volume “discusses the current cybersecurity threats facing the health care industry and sets forth a call to action for the health care industry with the goal of raising general awareness of the issue.” The second and third “technical” volumes address cybersecurity practices for small and medium-to-large healthcare organizations. The fourth volume comprises supplemental references and resources.

  • Federal News Network: Industry, gov’t groups publish cyber guide to protecting patients’ information
  • phe.gov: Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients

CA – Not All Privacy Breaches of Humboldt Broncos’ Records by Doctors are ‘Snooping,’ Says College

Saskatchewan’s privacy commissioner found several doctors had inappropriately accessed electronic health records of Humboldt Broncos [see three January 29 Sask OIPC Investigation Reports: a) 11 pg PDF here; b) 10 pg PDF here; and, c) 10 pg PDF here] involved in a fatal bus crash last April [see wiki here], but a spokesperson for the College of Physicians and Surgeons of Saskatchewan [here] says some of the cases don’t meet the bar of “snooping.” Saskatchewan’s eHealth branch began monitoring the files of people involved in the high-profile tragedy almost immediately after the fatal crash and “Anytime the profiles were accessed, eHealth would receive an alert,” confirmed Shaylene Salazar, who is the VP of Strategy, Quality and Risk for eHealth Saskatchewan. A few of the circumstances pointed out by the privacy commissioner involved three doctors who had provided emergency care to some Broncos at the Nipawin Hospital. Those doctors later reviewed patient records of those they treated, believing they were in the patient’s “circle of care.” The privacy commissioner’s findings indicate that “ there is a misunderstanding among a lot of health care practitioners — when they provided care to a particular patient — when it may be appropriate to look at information about the patient they provided care to,” said Bryan Salte, legal counsel for the College of Physicians and Surgeons of Saskatchewan. Salte said it appears the physicians are “a very different circumstance then what we regard as snooping, which is something that is significant and serious.” Salte said current legislation says doctors must only look at a file in order to provide care, regardless of past or potential future encounters and this is problematic because they may not know if they provided adequate care, he said. The privacy commissioner issued several recommendations in the reports, including that eHealth should conduct regular monthly audits of the physicians involved for the next three years. He also recommended that the organization comply with a need-to-know principle rather than a circle-of-care concept. There are about 10,000 healthcare works in the province who have access to the electronic viewer which contains patient records, Salazar said. … People can also request increased security on their personal information. “Patients can ask eHealth to fully block or mask their information” Patients can also request a report that details everyone who has viewed their information. CBC News and Doctors snooped into Humboldt Broncos patient records, privacy commissioner finds

US – 2018 An All-Time Record Year for HIPAA Enforcement Actions by HHS-OCR

The Office for Civil Rights at the U.S. Department of Health and Human Services (HHS-OCR) had a record-breaking year in 2018 with Health Insurance Portability and Accountability Act (HIPAA) enforcement activity [see PR here]. HHS-OCR entered into 10 settlements and received summary judgment in a case before an Administrative Law Judge, totaling nearly $28.7 million in enforcement actions [see summary of 2018 settlements & judgements]. According to the HHS-OCR Director, Roger Severino, this record year underscores the need for covered entities to be proactive about their HIPAA data security. Here are three overarching themes from HHS-OCR’s 2018 HIPAA enforcement activity for HIPAA Covered Entities to consider: 1) Several settlements indicate failures to obtain written business associate agreements from business associates that maintain protected health information (PHI) and electronic protected health information (ePHI) on behalf of Covered Entities; 2) HHS-OCR is citing failures to conduct thorough risk analyses of potential risks and vulnerabilities to Covered Entities’ ePHI; and 3) PHI disclosures to the media are thoroughly assessed for compliance with the HIPAA exception. Source: DBR on Data (DrinikerBiddle)  See also: HIPAA Enforcement Update: Areas of Focus | Protecting Patient Privacy: HIPAA Compliance in the Electronic Age  | Past cyberattacks offer clues to future threats HIT execs may face  | Cottage Health Settles with OCR for $3M  | HIPAA enforcements hit record $28 million in 2018 | What Can We Learn From the Healthcare Data Breach ‘Wall of Shame’?

US – HHS Proposes New Rules to Improve the Interoperability of Electronic Health Information

The U.S. Department of Health and Human Services (HHS) today proposed new rules to support seamless and secure access, exchange, and use of electronic health information. The rules, issued by the Centers for Medicare & Medicaid Services (CMS) [see 251 pg PDF proposed rule- CMS-9115-P & fact sheet] and the Office of the National Coordinator for Health Information Technology (ONC) [see 724 pg PDF proposed rule – RIN 0955-AA01& fact sheets] which aim to increase choice and competition while fostering innovation that promotes patient access to and control over their health information. The proposed ONC rule would require that patient electronic access to this electronic health information (EHI) be made available at no cost. CMS’ proposed changes to the healthcare delivery system support the MyHealthEData initiative [see here] and [aims to] increase the seamless flow of health information, reduce burden on patients and providers, and foster innovation by unleashing data for researchers and innovators. In 2018, CMS finalized regulations that use potential payment reductions for hospitals and clinicians to encourage providers to improve patient access to their electronic health information. For the first time, CMS is now proposing requirements that Medicaid, the Children’s Health Insurance Program, Medicare Advantage plans and Qualified Health Plans in the Federally-facilitated Exchanges must provide enrollees with immediate electronic access to medical claims and other health information electronically by 2020. CMS would also require these health care providers and plans to implement open data sharing technologies to support transitions of care as patients move between these plan types. The CMS rule also proposes to publicly report providers or hospitals that participate in “information blocking,” practices that unreasonably limit the availability, disclosure, and use of electronic health information undermine efforts to improve interoperability. ONC’s proposed rule calls on the healthcare industry to adopt standardized application programming interfaces (APIs), which will help allow individuals to securely and easily access structured and unstructured EHI formats using smartphones and other mobile devices. It also implements the information blocking provisions of the 21st Century Cures Act, including identifying reasonable and necessary activities that do not constitute information blocking. The proposed rule helps ensure that patients can electronically access their electronic health information at no cost. The proposed rule also asks for comments on pricing information that could be included as part of their EHI and would help the public see the prices they are paying for their healthcare. Source: U.S. Department of Health and Human Services | With new proposed rules, HHS takes major stab at interoperability framework | CMS proposes interoperability rules to increase EHR access | HHS unwraps long-awaited new information blocking rule

US – What Can We Learn From the Healthcare Data Breach ‘Wall of Shame’?

Covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are required to report breaches to the Department of Health & Human Services’ (HHS) Office for Civil Rights (OCR). But the pain doesn’t end there. If the breach reported to HHS involved more than 500 individuals, it is published for the world to see on an HHS website, colloquially referred to as the “wall of shame.” In existence since 2009 but questions have arisen regarding the value of the site, how the data is presented and how long the data should be available to the public. The persistence of the information available on the site has caused angst and criticism. Nevertheless, it has proved valuable for Academics. A recent paper in JAMA Internal Medicine examined the causes of breaches based on 1,138 breaches reported on the wall of shame between Oct. 21, 2009, and Dec. 31, 2017, affecting 164 million patients. The researchers found that theft of protected health information (PHI) by outsiders was the cause of a significant portion of the 1,138 breaches analyzed. There were 370 breaches (or 32.5% ) that were caused by outside thefts. The next-largest category was mailing mistakes (either via email or physical mail). These incidents accounted for 119 of the reported breaches (10.5%). Overall, however, the data analysis concluded that more than half of the breaches (53%) could be attributed to internal mistakes or neglect (as opposed to outside causes). These internal issues, in addition to mailing and emailing mistakes, included employees clicking on phishing emails, forwarding PHI to personal accounts and accessing PHI without authorization. Healthcare providers may want to more closely consider their own houses and what their own employees may be doing (or not doing). While additional employee training and more effective system controls and monitoring will not stop all employee mistakes, such steps could go a long way toward reducing the number of breaches. Data Privacy Monitor (Baker Hostetler)

Horror Stories

WW – Report: Details on 617 Million User Accounts Up For Sale On Dark Web

Citing details provided by the seller, The Register reports that a dark web marketplace Tor network-based site Dream Market cyber-souk this week began selling stolen data linked to roughly 617 million user accounts from 16 different websites. The affected online services consist of video messaging application Dubsmash (162 million accounts affected); health apps MyFitnessPal (151 million) and 8fit (20 million); genealogy platform MyHeritage (92 million); content sharing service ShareThis (41 million); Nordstrom’s member-only shopping website HauteLook (28 million); cloud-based video creation service Animoto (25 million); photography sites EyeEm (22 million), Fotolog (16 million) and 500px (15 million); online directory Whitepages (18 million); game portal website Armor Games (11 million); e-book subscription service BookMate (8 million); dating site CoffeeMeetsBagel (6 million), art appreciation website Artsy (1 million); and online learning platform DataCamp (700,000). … MyFitnessPal [here], Animoto [here] and MyHeritage [here] each disclosed a data breach last year that corresponds to this latest incident, while the remaining websites have not (possibly because they were unaware they were victimized). Compromised data primarily consists of individuals’ names, email addresses and hashed or encrypted passwords. But depending on the website, other lifted information includes usernames, IP addresses, birthdays, locations, countries, language, interests, account creation dates and security questions and answers. Presumably, cybercriminals who engage in spamming and credential stuffing campaigns would be able to make use of this information. Reportedly, the seller has set the value of the entire data set at approximately $20,000, but is offering each website’s data individually. This latest data breach headache follows news of a series of major data dumps known as Collection #1 [see wiki here] and Collection #2-5, which left billions of email addresses and associated passwords exposed on the web. Sources: SC Magazine | 617 million accounts stolen in latest online data breach | Hackers Have Just Put 620 Million Accounts Up For Sale On The Dark Web — Are You On The List?

Law Enforcement

CA – Montreal Rejects Body Cameras for Police Officers

Montreal last week became the latest city in North America to decide against making the cameras standard police equipment.

  • The Montreal police force’s 235-page report on the results of a $3.4-million pilot project that saw 78 officers wear cameras between May, 2016, and April, 2017 ruled them out as costly and ineffective
  • According to Alex Norris, chairman of Montreal’s public security committee, what has been described as a tool to increase transparency in the police force and improve relations between officers and citizens is “not ready for prime time.”
  • Officers didn’t have the reflex to turn on the camera in an emergency situation or when they needed to use force, Norris said. In moments of tension or during a physical altercation, the cameras often captured no images or just fragments. Norris doesn’t blame the officers.
  • Cities across Canada, including Toronto and Vancouver, are experimenting with the technology. In December, 2016, the RCMP decided against equipping its officers with the cameras. Halifax, like Montreal, has ruled them out as too costly.
  • The report estimated it would take roughly five years and $17.4-million to equip about 3,000 front-line officers with body cameras. It would cost an additional $24-million a year to maintain the camera program – equal to 4% of the force’s current annual operating budget.
  • Norris said the cost of storing the footage and ensuring video evidence is transferred and edited in accordance with legal principles was another reason the city decided against going ahead with the project.
  • Elsewhere in Canada, Calgary, Victoria and smaller towns such as Amherstburg, Ont., and Kentville, N.S., have decided in favour of cameras for their police officers. Calgary stated in July, 2018, that it was committed to arming all its front-line officers with body cameras by the end of 2019.
  • Police departments across the United States have had mixed results with the technology. The Washington Post reported in January that about half of the 18,000 law enforcement agencies in the U.S. “have some type of body-camera program, with many still in the pilot stage.” The newspaper reported that many smaller forces are having a difficult time paying to maintain the equipment and store the footage.
  • A research study on the use of body cameras within the Washington, D.C. Metropolitan Police Department found the cameras had “no detectable effect” on the use of force by officers or the volume of civilian complaints. The 18-month study published in 2017 analyzed data from 2,000 police officers who wore the devices.
  • Dan Philip, president of the Black Coalition of Quebec, said he thinks body cameras on police are necessary to protect the rights of citizens. Cameras, he said, would help in cases of racial profiling: “It would give victims the evidence that is necessary in order to bring the matter to court.”
  • His organization is trying to get a $4-million class action authorized against the city’s police force on behalf of people of colour allegedly profiled by Montreal officers.
  • “When there are no body cameras, the injustices continue,” Philip added. “And there is no recourse, because it will be the word of the police against the word of the victim – and we know which one will carry.”
  • Norris acknowledged that relations between the police and minority communities need to be improved, but he said cameras are not the answer – at least not yet.
  • “In many big cities, politicians are under pressure to come up with an answer when there is dissatisfaction expressed regarding relations between police and citizens,” he said. “And this technology is seen as a quick fix that will solve the problem. What we discovered is that it’s not a quick fix. It’s very expensive. It’s very cumbersome.” [Globe & Mail]

CA – Toronto Police End Shotspotter Project Over Legal Concerns

Tony Veneziano, the chief administrative officer of Toronto Police, told a budget committee meeting at City Hall that it is abandoning plans to bring in a high-tech gunshot-detection system [wiki] known as shotspotter – championed by Mayor John Tory and approved in the wake of a wave of summer shootings [coverage] – due to legal concerns about the technology. The ShotSpotter system, used in many U.S. cities, uses a network of microphones, usually deployed in troubled neighbourhoods, to pinpoint the exact location of a shooting. Veneziano said “We are no longer pursuing that technology. There’s legal issues that certainly have to be addressed, so we will no longer be looking at that.” While the firm behind the system, ShotSpotter Inc., based in Newark, Calif., says it cannot eavesdrop on conversations, some councillors raised privacy concerns about the surveillance. “They are not proceeding for the same reason many of us voted against it in the first place … an invasion of privacy, that there were severe risks around data collection and use,” Councillor Joe Cressy said. “Frankly, it was a shiny object in a RoboCop-style of enforcement model that was intended in the midst of the summer of the gun to make us all feel better.” Just last week, Toronto Police Chief Mark Saunders said police were still in the early stages of evaluating ShotSpotter, but confirmed that so far both Ottawa and Queen’s Park had declined to fund it. The Globe and Mail | Plans stall for Toronto Police Service’s gunshot-detection system

Location

US – Investigation Shows Bounty Hunters Accessed Location Data Intended for 911 Operators

Approximately 250 bounty hunters and related businesses had access to AT&T, T-Mobile and Sprint customer location data. The documents also show that data intended for 911 operators and first responders was sold to data aggregators who, in turn, sold the data to bounty hunters. The report notes that one data seller had access to “assisted GPS” data, which is intended to provide a user’s location data to within a few meters. According to those interviewed, this is the first instance of a telecom selling A-GPS data. [Motherboard]

Online Privacy

CA – Air Canada Records Users’ Interactions with Smartphone App

Air Canada’s app is found to have used an analytics service designed to capture the ways users interact with their phones while they use the product. The “session replay” service records a user’s phone screen in order to capture booked flights, changed passwords and credit card information. TechCrunch reports Air Canada is not the only company to use “session replays,” as Hollister, Expedia and Hotels.com also use the service. “Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips,” an Air Canada spokesperson said. “This includes user information entered in, and collected on, the Air Canada mobile app. However, Air Canada does not — and cannot — capture phone screens outside of the Air Canada app.” [Global News]

WW – Investigation Finds Apps Employ ‘Session Replay’ Technology Without Consent

An investigation found that several popular apps record users’ iPhone screens without their knowledge or consent by embedding third-party “session replay” technology into their apps. The report notes that several apps employ Glassbox, a customer experience analytics firm, to allow them to see a user’s screen, follow and track keyboard entries, and understand how that user interacted with the app. There are several other session replay services available that are often used to understand why apps break, but the report notes the failure of some app developers to properly mask its session replay files when they are sent from a device to the company’s servers, potentially exposing sensitive data to attack. [TechCrunch]

WW – Apple Orders Apps to Disclose Screen-Tracking Technology

Apple has told app developers to either remove or properly disclose the use of analytics tools that allow them to record screen interaction or face removal from Apple’s App Store. The call follows an investigation that found several apps employed “session replay” technology. Meanwhile, Gizmodo reports that Apple has begun removing an option in Safari’s privacy settings called “Do Not Track“ after the privacy project ended last month. Previously, Gizmodo reported on the general ineffectiveness of such options. [TechCrunch]

WW – Apple Revokes Facebook and Google Developer Certificates Because They Used them to Collect User Data

Facebook paid adults and teenagers to install a data-slurping iOS app using their enterprise certificate, bypassing the Apple App Store and requisite security checks. Apple had previously banned the application from the App Store for violating their data privacy rules. The app allows Facebook to see virtually everything a user does on the device. Apple states that distribution of the application for consumer research violates the terms of their enterprise development license. Google used a similar application to collect user and device data on iOS devices. Google acknowledged their mistake and disabled the application before Apple revoked its enterprise certificate. Both the Facebook and Google app are still available on Android.

  • wired.com: Why Facebook’s Banned ‘Research’ App Was So Invasive
  • theregister.co.uk: Furious Apple revokes Facebook’s enty app cert after Zuck’s crew abused it to slurp private data
  • com: Apple revokes Facebook’s developer certificate over data-snooping app—Google could be next
  • cnet.com: Google’s data-gathering app may have also violated Apple’s policies
  • zdnet.com: Google shuts down iPhone data-gathering app: ‘This was a mistake, and we apologize’
  • theverge.com: Apple blocks Google from running its internal iOS apps

WW – Report Finds Apps are Back to Integrating SDKs

A report from SafeDK found that while the number of unused software development kits dropped by 1.2, the total number of SDK integrations averaged at 18. This finding comes after an initial slowdown of SDK integrations ahead of the EU General Data Protection Regulation. TabTale CEO and Founder Sagi Schliesser explained, “It’s not difficult to clean up unused SDKs, but it’s also not a high priority for a lot of developers, because it’s more important to them to update their game than think about something like GDPR and how SDKs could make them vulnerable.” The report analyzed 190,000 top-charting apps in the Google Play store. [AdExchanger]

WW – Facebook Warned Over Privacy Risks of Merging Messaging Platforms

Recently the New York Times broke the news that Facebook intends to unify the backend infrastructure of its three separate products: Facebook Messenger, Instagram, and WhatsApp. The Irish Data Protection Commissioner, Facebook’s lead data protection regulator in Europe, has asked the company for an “urgent briefing” regarding plans to integrate the underlying infrastructure of its three social messaging platforms. In a statement the Commission wrote: “Previous proposals to share data between Facebook companies have given rise to significant data protection concerns and the Irish DPC will be seeking early assurances that all such concerns will be fully taken into account by Facebook in further developing this proposal.” When we asked for a response to the NYT report, a Facebook spokesperson confirmed it and said “We want to build the best messaging experiences we can; and people want messaging to be fast, simple, reliable and private. We’re working on making more of our messaging products end-to-end encrypted and considering ways to make it easier to reach friends and family across networks. As you would expect, there is a lot of discussion and debate as we begin the long process of figuring out all the details of how this will work” There certainly would be a lot of detail to be worked out. Not least the feasibility of legally merging user data across distinct products in Europe, where a controversial 2016 privacy u-turn by WhatsApp — when it suddenly announced it would after all share user data with parent company Facebook (despite previously saying it would never do so), including sharing data for marketing purposes — triggered swift regulatory intervention. Facebook was forced to suspend marketing-related data flows in Europe. Though it has continued sharing data between WhatsApp and Facebook for security and business intelligence purposes, leading to the French data watchdog to issue a formal notice at the end of 2017 warning the latter transfers also lack a legal basis. A court in Hamburg, Germany, also officially banned Facebook from using WhatsApp user data for its own purposes. Early last year, following an investigation into the data-sharing u-turn, the UK’s data watchdog obtained an undertaking from WhatsApp that it would not share personal data with Facebook until the two services could do so in a way that’s compliant with the region’s strict privacy framework, the General Data Protection Regulation (GDPR). The 2016 WhatsApp-Facebook privacy u-turn also occurred prior to Europe’s GDPR coming into force. And the updated privacy framework includes a regime of substantially larger maximum fines for any violations. We’ve reached out to Facebook for comment on the Irish DPC’s statement and will update this report with any response. TechCrunch

WW – Social Media Privacy Might Not Be Possible: New Research Study

The conventional wisdom is that the easiest way to stop social media companies like Facebook and Twitter from tracking and profiling you is simply by deleting your social media accounts. That, for example, was the basis for the #DeleteFacebook movement that gained momentum around the time of the Facebook Cambridge Analytica scandal in early 2018. But now a new study published January 21 by researchers at the University of Adelaide in Australia and the University of Vermont in the United States suggests that even deleting your social media accounts might not be enough to protect your social media privacy [see “Information flow reveals prediction limits in online social activity” by James P. Bagrow, Xipei Liu & Lewis Mitchell in the journal Nature Human Behaviour here]. The study analyzed 30.8 million Twitter messages from 13,905 Twitter accounts to see whether it might be possible to profile an individual simply by examining the profiles and interactions with his or her friends. To test out that hypothesis, the researchers were able to sub-divide the 13,905 Twitter accounts into 927 “ego-networks” consisting of 1 Twitter user and 15 other accounts that interacted with that individual most frequently. The researchers hypothesized that it might be possible to see if interactions and communication with those 15 social networking accounts somehow “encoded” information about a user and his or her interests, likes and behaviors This was the first-ever study that analyzed how much information about an individual is encoded in interactions with friends. From a social media privacy perspective, the study turned up some very concerning results. It turns out that the team didn’t even need 15 accounts to figure out a person’s profile. All they needed was tweets from 8-9 accounts (i.e. the “friends” of the user), and they could start to create some startlingly accurate profiles. For example, machine learning algorithms could start to predict factors such as “political affiliation” or “leisure interests” simply by studying the tweets of someone’s friends. Often, they were able to do this with up to 95% accuracy. The remainder of this article discusses the study from within the framework of the following subheadings: 1) Friends can put you at risk on social networks; 2) The concept of privacy as an individual choice; 3) Why the Facebook Cambridge Analytica scandal matters; 4) Still looking for a solution to social media privacy  Sources: CPO Magazine See also: #DeleteFacebook? #DeleteTwitter? #FatLotOfGood that will do you | On Facebook and Twitter your privacy is at risk — even if you don’t have an account, study finds

Other Jurisdictions

AU – Australia Sees Increase in Reported Data Breaches

In a recent report, the Office of the Australian Information Commissioner stated the number of Australian organizations reporting data breaches hit a new high with 262 notifications received in the third full quarter the Notifiable Data Breaches scheme. The majority of breaches stem from malicious attacks. The report noted that data breaches from human error fell from 37 to 33%. “Preventing data breaches and improving cyber security must be a primary concern for any organisation entrusted with people’s personal information,” Australian Information Commissioner and Privacy Commissioner Angelene Falk said. “Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords.” [iTnews]

Privacy (US)

US – ‘Near-Consensus’ Reached on Data Breach Victim Suits

Alison Frankel looks at the 9th U.S. Circuit Court of Appeals in 2018’s in re Zappos.com to see how the case impacts data breach victims. Frankel writes that the federal appellate courts seemed to have reached a “near-consensus” that data breach victims need only to allege an increased risk of identity theft to establish their constitutional right to sue a company for leaving their personal data vulnerable to hackers. Disputing this, Zappos has asked the U.S. Supreme Court to decide on the constitutional standing of data breach victims, but the justices have decided to hold the case until Frank v. Gaos is resolved. [Reuters]

US – NYT Reporters Land Facebook Privacy Publishing Deal with HarperCollins

A pair of reporters from The New York Times has received a publishing deal with HarperCollins to write a book about the privacy-related stories about Facebook. Sheera Frenkel and Cecilia Kang landed a seven-figure deal to write the book. Frenkel and Kang’s book will be based on a Times report from November that covered Facebook’s responses to several privacy incidents that have taken place over the past couple of years. Vanity Fair

US – Alphabet Warns Investors on the Impact of Data Privacy

In Alphabet’s latest earnings report filed with the U.S. Securities and Exchange Commission, Google’s parent company points to the impact of customers’ growing expectation of privacy. With a reported 83% of revenue stemming from the sale of digital ads, the company wrote, “Changes to our data privacy practices, as well as changes to third-party advertising policies or practices may affect the type of ads and/or manner of advertising that we are able to provide which could have an adverse effect on our business.” Alphabet also highlighted that as attention surrounding data privacy and security increases, the company “will continue to be subject to various and evolving laws.” [Forbes]

US – Report Grades States on Student Data Privacy

Peter Greene looks at how the proliferation of computer-based technology in schools has impacted student data privacy. “Schools are where one thorny modern issue — data privacy — meets our most vulnerable population — students,” Greene writes. Pointing to the 2019 State Student Privacy Report Card, which grades states across seven categories of protecting student data privacy, he writes, “The picture is not pretty; no state earned an A, and 28 states failed with either a D or an F.” Furthermore, 11 states were reported to have no student data privacy laws in existence. [Forbes]

US – CDT Releases Resource for CPOs in Education

In a blog post for the Center for Democracy & Technology, Senior Fellow of Student Privacy Elizabeth Laird announced the release of an issue brief focused on making the case for incorporating chief privacy officers into education. Describing a variety of practices that can help to support the addition of a CPO, the brief calls attention to the role of leadership and ways to broadcast the role as an organizational asset. Divided into two sections, the brief also examines the role of the organization in making a successful CPO, as well as what the role of a CPO should entail. [CDT.org] See also: Washington Post: Facebook Controversy Spurs Momentum in Congress for Privacy Safeguards for Kids and Teens

Privacy Enhancing Technologies (PETs)

WW – Chrome Offers “Password Checkup” Service

A new extension for Google’s Chrome browser checks to see if username/password combinations used in login forms have been leaked online. If the credential pair is flagged as being leaked, Chrome users will see a red warning pop-up box suggesting that they change that password. Firefox introduced the Firefox Monitor feature last November. It displays a one-time alert recommending users change their passwords when they visit websites that have been breached within the past 12 months. The Google support site says, “Password Checkup works when you’re signed in to the Chrome browser on a computer.” And elsewhere says installing the extension means you agree to Google’s Privacy Policy and Terms of Service, which just apparently changed again on 22 January. If you sign in to Chrome, you are automatically signed into every other service (like Google Search) that Google owns. Do you trust Google? [The Verge | See also:

  • wired.com: A New Google Chrome Extension Will Detect Your Unsafe Passwords
  • scmagazine.com: Google adds Password Checkup Chrome extension
  • zdnet.com: Google releases Chrome extension to check for leaked usernames and passwords
  • cnet.com: How to use Google’s new Password Checkup tool

Security

CA – Two-Factor Authentication Mandatory for New Ryerson Email Users

Students who enroll at Ryerson next fall and onwards will be required to use two-factor authentication when signing into their university email accounts. The university’s cybersecurity team wants all Ryerson email users to sign in by entering their password and an authenticator code by 2022. That means all students will have to refer to a code on an authenticator app linked to their email or buy a U2F key to insert into their computer to complete the second security step. Ryerson’s chief information officer said it’s time to make the extra security login measure mandatory since the university is facing an increasing number of security threats as the tools hackers use become more advanced. Brian Lesser said the university had to lock 22 student accounts last week because hackers accessed their accounts and made their passwords publicly accessible on online databases. “This week we locked another eight accounts for the same reasons,” he said. According to Statistics Canada, universities reported one of the highest levels of cybersecurity incidents of all Canadian businesseswho experienced attacks in 2017. About 46% of universities reported attacks against them – second only to the banking sector, where 47% of institutions reported experiencing cybersecurity incidents. “Email accounts are great targets,” Lesser said. “If I can get hold of a lot of email accounts, I can send out spam for free.” Ryerson staff members are already required to use the additional security measure when signing in. [Ryersonian]

CA – Govt Creates Security and Intelligence Threats to Elections Task Force

The Canadian government announced it has created the Security and Intelligence Threats to Elections Task Force. The group aims to prevent any form of interference with the upcoming federal election. The task force will decide whether to release public warnings about malicious actors’ attempts to influence results; however, the group can only give public warnings after an election has been formally called. Any revelations of suspicious activity will be done by a nonpartisan body of senior lawmakers. The federal government also announced it plans to spend $7 million to educate citizens about where they get their news on social media. [IT World Canada]

Smart Cities / IoT

CA – Majority of Canadian Citizens Concerned About Smart-City Privacy: Survey

A survey conducted by McMaster University found 88% of Canadians expressed some level of concern about their privacy in smart cities. Of the 1,011 individuals surveyed, 23% they said they were extremely concerned about smart-city privacy. When asked about what they wish to have done with their data, 71% would be open to their data used for traffic and city planning, and 63% said they would be open for police to use their information for crime prevention. However, a third of Canadians do not want law enforcement to access their data. Minority and indigenous participants expressed higher levels of disapproval to the concept. [The Conversation]

US – NIST Calls for Feedback on IoT Cybersecurity Discussion Draft

The U.S. National Institute of Standards and Technology’s Cybersecurity for the Internet of Things Program wants stakeholders to offer feedback on its “Considerations for a Core IoT Cybersecurity Capabilities Baseline “discussion draft. NIST has called for insight on the identification of a minimum set of cybersecurity capabilities for IoT devices, as well as whether the capabilities listed in the discussion draft are reasonable for a core baseline and if they are useful for device manufacturers. All feedback will be considered and is expected to be a part of NIST’s next paper on IoT cybersecurity. [NIST]

WW – Report Examines Privacy Implications of APIs

Researchers from the University of Michigan and Fordham Law School released a report to help educate internet patrons on the privacy concerns around application programming interfaces. The report, titled “APIs and Your Privacy,” examined 11 online services to show the ways APIs gather and send consumer data, such as with Candy Crush Saga, Netflix, Google Maps and Search, Pandora, Tinder and ESPN. The researchers received support from AT&T for the report and presented their findings at the AT&T Policy Forum’s Symposium on Application Programming Interfaces and Privacy in Washington. “While APIs are an inherent part of how the online ecosystem works, their privacy implications deserve closer scrutiny — for APIs made available to both developers and advertisers,” the report states. [Fordham U | Phys.org | Are APIs the True Privacy Villains?  | Survey: Developers Want API Standards  | The case for healthcare-specific APIs | Google asks Supreme Court to overrule disastrous ruling on API copyrights – appeal against Oracle has huge stakes for the industry.

Surveillance

US – NY Allows Life Insurers to Use Social Media Data to Help Set Premium Rates

The New York State Department of Financial Services will now allow life insurers to use social media data and other forms of information to help set premium rates. Life insurers are permitted to incorporate this information into their processes as long as they can prove their algorithms are not biased against any marginalized groups. New York Financial Services Superintendent Maria Vullo said the department’s goal is to create a set of ground rules before the use of social media data becomes more widespread. Meanwhile, ride-hailing companies in New York City face new requirements to hand over more data to the city’s Taxi and Limousine Commission. [The Wall Street Journal]

US Government Programs

US – Advocacy Groups Ask Lawmakers to Reject Border Surveillance Proposals

In a letter to U.S. House Speaker Nancy Pelosi, D-Calif., the Democratic leadership and the full membership of the House of Representatives, advocacy groups urged lawmakers to oppose the proposal for “Smart, Effective Border Security,” which, they write, calls for funding of “various invasive surveillance technologies that would intrude on the liberties of travelers, immigrants, and people who live near the border,” The Washington Post reports. The letter expresses concern with risk-based targeting technologies, mass surveillance, license plate readers, and biometric and DNA screening. “The prospect of the U.S. government building a surveillance wall that vacuums up the private information of immigrants and travelers and U.S. citizens alike is a menace to privacy,” Electronic Frontier Foundation Staff Attorney Adam Schwartz said. [Full Story]

US Legislation

US – Congress Should Consider Comprehensive Privacy Legislation: GAO

In a report released February 13 The Government Accountability Office (GAO) is recommending that Congress consider coming up with comprehensive internet privacy legislation, something both sides of the aisle have been saying needs to happen [see House Energy & Commerce Committee PR here, 56 pg PDF report here, highlights here and recommendations here]. The report, which was requested by Rep. Frank Pallone (D-N.J.) [here & wiki here], chairman of the House Energy & Commerce Committee [here & wiki here], found that while most industry stakeholders favored the current approach of the Federal Trade Commission enforcing unfair and deceptive practices rather than new rules consumer advocates and most former FTC and FCC commissioners [the GAO] interviewed (from both parties), favored having the FTC issue enforceable regulations. GAO recommended that Congress should at least “consider” coming up with “comprehensive legislation on Internet privacy that would enhance consumer protections and provide flexibility to address a rapidly evolving Internet environment. Issues that should be considered include what authorities agencies should have in order to oversee Internet privacy [including civil penalty authority for first time offenses], including appropriate rulemaking authority.” Pallone will try to get that ball rolling with the committee’s first privacy hearing under new, Democratic, control, which he has scheduled for Feb. 26 in the Consumer Protection Subcommittee, which is chaired by Rep. Jan Schakowsky (D-Ill.). While GAO couches its recommendation with words like “consider” and plenty of conditional language, as is its practice, it clearly suggests legislation would be a good thing. Over the past few months several Senators have proposed their own measures, including: a) Ron Wyden, D-Ore.; b) Marco Rubio, R-Fla.; c) Amy Klobuchar, D-Minn.; and d) Brian Schatz, D-Hawaii.   Broadcasting & Cable | Federal GAO Supports New Privacy Laws, Fines For Violators | Government watchdog finds weak enforcement of US privacy regulations | House panel to hold hearing on data privacy legislation

US – Chamber Releases Model Privacy Legislation, Urges Congress to Pass a Federal Privacy Law

On February 13 The U.S. Chamber of Commerce released model privacy legislation calling for a federal privacy law that would protect consumers and eliminate a confusing patchwork of state laws [see 1 pg overview and model text]. The U.S. Chamber worked with nearly 200 organizations of all sizes and sectors to draft the model legislation. It focuses on transparency, consumer control, and support for innovation. The model legislation would require businesses to be transparent about how personal information is used. Businesses would also have to comply with requests from consumers regarding how personal information is being used and shared. It includes with common-sense exceptions opt-out and data deletion provisions which the USCC says are a critical part of ensuring consumers have control of how personal information is used. The USCC says the model legislation would support innovation through regulatory certainty. Businesses would comply with one nationwide privacy framework, as opposed to having to navigate 50 unique state laws. The FTC would be tasked with enforcing the legislation and would have the ability to impose civil penalties on businesses that violate transparency, opt-out, or data deletion provisions. U.S. Chamber of Commerce

US – Calif. Lawmakers Introduce Data Privacy Omnibus Package

A group of five California State Assembly members has introduced a data privacy omnibus package. It is expected to include four bills and a resolution designed to bolster the California Consumer Privacy Act. The four bills include rules to no longer allow companies to store voice data on smart speakers used for marketing, requirements for social media companies to obtain a parent’s permission before any child uses their platforms, a new data breach notification rule, and a push to have Congress and the U.S. Federal Trade Commission update federal antitrust legislation. AB 288 is the only part of the omnibus to be formally introduced, which mandates social media companies must give users who shut down their accounts the choice to have their personally identifiable information permanently removed. [Government Technology | Five Questions You Should Be Asking as Congress Takes on Privacy Legislation | Tech Group Favors Privacy Bill That Preempts Tougher State Laws | How are Businesses Preparing for Proposed Federal Data Privacy Legislation? Part One: Understanding Current Proposals

US – Takeaways from CCPA Public Forums

When California Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) [see wiki & infographic] into law on June 28, 2018, there was broad agreement that revisions and clarifications were necessary. The CCPA was written and enacted with extraordinary speed, as legislators moved to pre-empt a data privacy ballot initiative. The California legislature has already passed a “clean-up” bill [see SB-1121 here] to address concerns expressed about the CCPA, and heated debates over the meaning and merits of specific provisions continue. Against this backdrop, and with less than a year before the CCPA goes into effect on January 1, 2020, eyes are now increasingly turning to the California Attorney General (AG). The CCPA mandates that the California Attorney General “solicit broad public participation and adopt regulations to further the [CCPA’s] purposes,” including with respect to seven specific focus areas, before July 1, 2020 [see Sec. 13 here]. Given the public interest in, and lingering questions about, the CCPA, this rulemaking is eagerly anticipated, and the AG’s Office has consequently decided to host a series of public forums throughout the state in order to collect stakeholder input [see schedule here & AG’s forum slide deck 6 pg PDF here]. While it’s of course still too early to tell how the AG’s regulations will ultimately shake out, these forums nonetheless are valuable indications of what may be to come as businesses wrestle with several key questions for CCPA compliance: 1) What provisions might the AG regulations address?; 2) What other provisions might they address, such that compliance efforts should be careful not to get too far ahead of the regulatory clarification?; and 3) What are the next steps?. The remainder of this blog post addresses these questions in some detail. Sources: Data Matters Blog | Sacramento CCPA Public Forum Attracts Among the Largest Turnout to Date | California Consumer Privacy Act: The Challenge Ahead – The CCPA’s “Reasonable” Security Requirement | California DoJ Sets March 8 Deadline for CCPA Pre-Rulemaking Comments | California Consumer Privacy Act: Are You Prepared for 2020? — CyberSpeak Podcast | As Businesses Prep for California’s Data Privacy Law, They’re Also Fighting to Change It & Big Tech isn’t the only group concerned | Bill Package Looks to Strengthen Data Protections in California | California AG’s Office Gets Public Input on CCPA | Public Forums on the California Consumer Privacy Act Continue in Los Angeles – Rulemaking to Follow | Data Privacy Day – Special Report – California Consumer Privacy Act FAQs for Employers | California Attorney General’s Office Gathers Public Opinions Regarding the Implementation of the California Consumer Privacy Act

US – Comprehensive Data Privacy Legislation Introduced In Massachusetts

Massachusetts state Senator Cynthia Creem [see here & wiki here] has introduced a consumer data privacy bill, SD 341 [see text here], that would give Massachusetts consumers the right to sue in the event their personal information or biometric data is improperly collected or distributed or for any other potential violation of the new law. Under SD 341, and similar to Illinois’s Biometric Information Privacy Act (BIPA) [text here & wiki here], consumers may not be required to demonstrate or have suffered monetary or property losses in order to seek damages for an alleged violation. Any violation of the proposed new law could be grounds for a valid private action. It states that “a violation of this chapter shall constitute an injury in fact to the consumer who has suffered the violation, and the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action for a violation of this chapter.” A prevailing plaintiff can receive the greater of $750 “per consumer incident” or actual damages and can also receive attorneys’ fees. It would grant Massachusetts consumers certain rights with respect to their personal data, including: 1) A right to notice “at or before the point of collection” of the personal information that will be collected and disclosed and the purpose of such collection or disclosure; 2) A right to request a copy of collected personal information; and 3) A right to request deletion of collected personal information. Additionally, consumers would have the right to demand that covered businesses not disclose their information to third parties – in other words, with limited exceptions, consumers would be able to opt out of any transfers of their personal information by a business to other businesses that are not service providers. If SD 341 is enacted, it would not take effect until January 2023 after related rule-making is conducted by the Massachusetts attorney general. Sources: Technology Law Dispatch (ReedSmith) | Massachusetts Considers Bill to Limit Facial Recognition | Massachusetts State Senators Seek to Enact Biometric Data Protection Law | Notable challenges from the updated Massachusetts data breach notification law | Massachusetts Amends Data Breach Notification Law to Require Free Credit Monitoring | Massachusetts Amends Data Breach Notification Law

US – How to Shine a Light on U.S. Government Surveillance of Americans

This year, Congress must vote on reauthorizing provisions of the Patriot Act [see here & wiki here] that are due to expire [December 15] — including Section 215 [see wiki here, also see EFF take here], which the government abused for years to illegally collect Americans’ phone records in bulk. As this debate gets underway, both Congress and the public need some answers. In 2015, Congress passed the USA Freedom Act [see here & wiki here] to reform parts of the Patriot Act and make other much-needed changes to the government’s surveillance activities. Perhaps most notably, the law prohibited the bulk collection of Americans’ call records, internet metadata, and other private information under several statutes. It also sought to enhance transparency, so that illegal surveillance programs under these authorities would never again flourish in secrecy. Four years later, however, serious questions remain about whether these reforms have successfully halted bulk collection and other forms of overbroad surveillance. It’s also unclear whether additional measures are needed to safeguard communities of color and Americans engaged in First Amendment-protected activities. The ACLU has filed a new Freedom of Information Act lawsuit in an effort to shed light on these significant gaps in the public’s understanding. Similarly, in order to inform the coming debate, Congress and the public must demand answers to the following questions. [The remainder of this blog post addresses the following questions]: 1) What additional changes are needed to prevent the bulk collection of Americans’ private data under the Patriot Act?; 2) Is the Patriot Act being used to infringe on First Amendment-protected activities?; 3) Is the Patriot Act being used to discriminate on the basis of race, religion, national origin, or other protected factors?; 4) Why has the government not disclosed more opinions from the secret intelligence court?; and 5) How many Americans have had their private information collected under other surveillance authorities? … Answers to these questions are essential as Congress debates expiring provisions of the Patriot Act and the additional safeguards that are needed to protect Americans’ rights.   Speak Freely blog (American Civil Liberties Union) and Three FISA Authorities Sunset in December: Here’s What You Need to Know

US – Oregon Lawmakers Pass Bill to Let Patients Get Paid for Health Data

As data becomes more valuable, and privacy seems increasingly elusive, state lawmakers in Oregon are starting a conversation about a new way to empower consumers. This week, a group of Oregon lawmakers have introduced legislation that would empower Oregon residents to get a cut of the value of their medical data [it’s titled “Health Information Property Act” – see Oregon Senate Bill 703 here]. The Health Information Property Act, which effectively treats personal health data like property. The bill has three components. It would:

1) Require HIPAA-covered entities — as well as their business associates or subcontractors — to get signed authorization from consumers before de-identifying their personal health information (PHI) to sell the data to a third party;

2) Allow consumers to elect to receive payment in exchange for authorizing the de-identification of their PHI for the purpose of sale; and

3) Prohibit companies subject to HIPAA from discriminating against a consumer who refuses to sign such an authorization or who wants to get paid for it.

State Rep. David Gomberg [see here & wiki here] one of the sponsors of the Health Information Property Act heard about the idea to treat personal data as property from Humanity.co [see here], a company that’s built a blockchain-based app that lets people sell their personal data. Humanity.co has had similar conversations about introducing this kind of legislation in other states, including New Jersey. ZDNet

Workplace Privacy

US – Non-Desk Employees Use Messaging Apps, Even Without HR’s Knowledge

A survey conducted by Speakap found most non-desk employees use messaging applications, such as WhatsApp and Facebook Messenger. Speakap defines non-desk employees as staff members who work at retail stores, hotels and restaurants. Of the 1,000 non-desk employees polled, 53% said they use messaging apps for work-related communications up to six times a day, with 16% believing their company’s human resources department did not know of such use. Speakup states companies in Europe have tried to ban the use of messaging apps in order to avoid issues with the EU General Data Protection Regulation. [Adweek]

 

+++

 

 

Advertisements

24-31 January 2019

Biometrics

US – Illinois Supreme Court Rules Actual Harm Not Required for BIPA Claim

On January 25, 2019, the Illinois Supreme Court published a widely anticipated decision in Rosenbach v. Six Flags Entertainment Corporation et al., addressing the question of what it means to be an “aggrieved” person under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 et seq. (“BIPA“) [see wiki]. Under BIPA, aggrieved persons are entitled to seek liquidated damages and injunctive relief. In a unanimous decision authored by Chief Judge Karmeier, the court held that individuals seeking relief under BIPA “need not allege some actual injury or adverse effect” to be considered aggrieved persons. The court’s decision reversed a lower court ruling that distinguished between “actual” and “technical” BIPA violations. BIPA requires private entities to (i) inform individuals about the collection and storage of their biometric identifiers or information, (ii) detail the purpose and length of time for which such data will be collected, stored, or used, and (iii) obtain a written release from individuals prior to the collection of such data. The lower court characterized violations of these three requirements alone as “technical” violations of BIPA that would not entitle plaintiffs to relief absent allegations of “injury or adverse effect.” This decision will affect numerous pending federal and state BIPA actions that have struggled to interpret BIPA’s statutory requirements. It may also re-ignite pressure on the Illinois legislature to clarify and limit the scope of the statute—an effort contemplated by an amendment that was introduced, but not passed, last year. Despite developments in the Illinois state courts, a recent Northern District of Illinois decision suggested that BIPA claims brought in federal court may not be able to satisfy Article III standing requirements under the Supreme Court’s decision in Spokeo v. Robins absent an “actual” harm. Thus, the Rosenbach decision, while significant in its substance, may have limited effect in the federal courts. Inside Privacy Blog (Covington) See also: No Harm, Still a Foul: Illinois Supreme Court Rules on the Collection of Biometric Data | Illinois Supreme Court Says Infringement of Rights Under Biometric Act Is Sufficient for Standing, Even Absent Additional Harm | Rosenbach v. Six Flags Entertainment Corporation – Illinois Supreme Court Holds That a Technical Violation of Statutory Biometric Rights is Sufficient to Bring a Claim | Illinois Supreme Court Empowers Claims Under Biometric Information Privacy Act | Court rules companies can be sued for collecting biometric data without consent

US – Prisons Quietly Building Databases of Incarcerated People’s Voice Prints

In New York and other states across the country, authorities are acquiring technology to extract and digitize the voices of incarcerated people into unique biometric signatures, known as voice prints. Prison authorities have quietly enrolled hundreds of thousands of incarcerated people’s voice prints into large-scale biometric databases. Computer algorithms then draw on these databases to identify the voices taking part in a call and to search for other calls in which the voices of interest are detected. Some programs, like New York’s, even analyze the voices of call recipients outside prisons to track which outsiders speak to multiple prisoners regularly. Authorities and prison technology companies say this mass biometric surveillance supports prison security and fraud prevention efforts. But civil liberties advocates argue that the biometric buildup has been neither transparent nor consensual. Once the data exists, they note, it could potentially be used by other agencies, without any say from the public. The rapid, secretive growth of voice-print databases is “probably not a legal issue, not because it shouldn’t be, but because it’s something laws haven’t entertained yet,” noted Clare Garvie, a senior associate at Georgetown Law’s Center on Privacy and Technology. “It’s not surprising that we’re seeing this around prisons, just because it can be collected easily,” she continued, referring to biometric voice data. “We’re building these databases from the ground up.” The scale of prisons’ emerging voice biometric databases has not been comprehensively documented nationwide, but, at minimum, they already hold more than 200,000 incarcerated people’s voice prints. The databases of recorded calls from which prison authorities could search for outsiders’ voice samples could also potentially include millions of recorded calls for state and countywide systems. According to the design requirements New York’s Department of Corrections gave to Securus, for example, the company must be able to record every call, archive all call recordings for a year, and maintain any calls flagged for investigative purposes “indefinitely” through the life of the contract, which ends in 2021. The Intercept

CA – QB Court Rules DNA Collected from Coffee Cup is Admissable Evidence

A man found guilty of brutally assaulting four women in Montreal has lost his attempt to have his convictions overturned. The Quebec Court of Appeal said that DNA evidence collected from a cup of coffee left at a restaurant does not violate the right to privacy. Giovanni D’Amico was found guilty in 2014 on multiple counts of sexual assault, one charge of sexual assault causing bodily harm, and one count of assault. The attacks occurred between 2002 and 2005, but D’Amico was only arrested in 2008 after DNA testing linked him to the crimes. The trial took more than four years and several victims were reluctant to co-operate with police, while one of them died before she could testify. The NDG businessman was convicted in 2014 and sentenced a year later to 12 years in prison. D’Amico appealed the verdict with his lawyer arguing that the collection of DNA did not take place appropriately. In its ruling the court said that manner of collection was appropriate and the conviction would stand. However the court said the process raises another question that society and the legislature should analyze: Should police be able to collect DNA from suspects, and how long should they be allowed to keep samples? CTV Montreal

Big Data  / Data Analytics / AI

EU – Convention 108 Committee Releases AI Guidelines

The Committee of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, or Convention 108, has released new guidelines on artificial intelligence and data protection. The guidelines are designed to help lawmakers, developers and manufacturers ensure AI applications uphold data subjects’ rights. “Artificial intelligence brings benefits to our daily lives,” Council of Europe Chair of the Committee of Ministers Timo Soini said. “It is necessary to look into the ethical and legal questions that it raises. To ponder this, we have invited many high-level experts from all member states to a conference on the impacts of artificial intelligence development on human rights, democracy and the rule of law in Helsinki on [Feb. 26 and 27] that will allow us to exchange thoughts and knowledge.” [Council of Europe]

Canada

CA – Canada’s PIPEDA Consent Guidelines Now In Effect

Canada’s new guidelines for obtaining consent under PIPEDA are now in effect. Last year federal Office of the Privacy Commissioner and the Alberta and British Columbia Offices of the Information and Privacy Commissioner jointly issued the guidelines, which outline how to get “meaningful” consent. The OPC will now apply the guidelines when looking at how companies obtained consent, and it has been reported that the guides are viewed by the regulators to have the force of law. Companies are expected to find creative solutions for developing a consent process, and the guidelines provide seven principles for companies to consider. These include transparency: making clear what is being collected and why. Also part of transparency is if the information is shared. Companies should also give people clear options (“yes” or “no”) and be innovative when putting together the consent process. The consents should, similarly, be user-friendly. Finally, the guidelines urge companies to be ready to show how they implemented the principles when designing their consent process. To help companies, the guidelines include “must do” and “should do” checklists. Putting it Into Practice: This Canadian guidance gives helpful insight into what regulators expect from a consent process, which may be useful even for those that operate outside of Canada. Eye on Privacy Blog (Shappard Mullin)

CA – Data Privacy Day Focuses Attention on Canadians’ Privacy Rights: OPC

As people around the world mark Data Privacy Day, Privacy Commissioner of Canada Daniel Therrien is highlighting the importance of protecting, understanding and exercising privacy rights. “Privacy plays an important role in protecting other fundamental rights and values, including freedom and democracy,” says Commissioner Therrien. “It’s therefore critical for Parliamentarians, organizations and individual Canadians to understand, protect and promote privacy rights.” Versions of a Data Privacy Day op-ed by Commissioner Therrien reflecting on why privacy is essential were published by two newspapers. The Office of the Privacy Commissioner of Canada (OPC) recently launched a downloadable “Know your privacy rights!“ poster that can be used by organizations to mark Data Privacy Day and also to highlight the importance of privacy protection all year round. The poster offers tips such as reading up on privacy law basics and learning how to raise a concern with organizations. The OPC’s website offers a broad range of other tips and guidance for individuals, including 10 Tips for Protecting Personal Information. Canada has observed Data Privacy Day on January 28th since 2008. The day commemorates the 1981 signing of the first legally binding international treaty on privacy and data protection. Office of the Privacy Commissioner of Canada News

CA – Data Privacy, Today and Every Day – IPC

Facebook and Cambridge Analytica. General Data Protection Regulation. These were headline news for much of 2018. Both served to highlight how advancements in technology can infringe on privacy rights and the importance of valuing and protecting personal information. While it might be tempting to just close the book on 2018 and move on, issues related to privacy, data and technology aren’t going anywhere soon. It’s a fitting topic given that today is Data Privacy Day, but it’s one we should be thinking and talking about more often. Recognized around the world, Data Privacy Day raises awareness of privacy and data protection among individuals, organizations and government officials. The date coincides with the first legally binding international treaty on the protection of personal data, Convention 108, signed on January 28, 1981. Last week, our office held a privacy day event to help people understand some of the potential privacy challenges of technology-driven smart cities and spark discussion about this very important, and timely, topic. It included a panel with experts from the legal, information management and public service fields, answering questions from people across Ontario. If you missed it, a full replay of the day’s discussion is available on our YouTube channel. Our office has many resources to help you cut through the noise and gain a better understanding of how privacy affects your organization and your day-to-day life (links to a few of them are included below). These resources, and many more on a variety of topics, are available by selecting the guidance tab on our website’s homepage. Use them to expand your knowledge and make privacy a priority in 2019. Resources: Smart Cities and Your Privacy Rights ; General Data Protection Regulation ; Big Data and Privacy Rights ; and Your Child’s Privacy in School | Source: IPC Blog See also: ‘Privacy Day’ explores how to yield benefits from smart cities without privacy pains | 11 Expert Takes On Data Privacy Day 2019 You Need To Read | National Data Privacy Day Is Wishful Thinking

Consumer

WW – People Will Trade Personal Data for Convenience and Security: Study

People are more than happy to share their personal data, just as long as they’re getting something in return. That’s the main takeaway from Experian’s Global Identity and Fraud Report, which found that growing privacy concerns have not soured people on the overall potential of the digital experience. The vast majority (90%) of consumers are aware that businesses are collecting personal information, but 70% would still be willing to hand over more information if it would make their online interactions faster and safer. Additional findings from the third annual fraud report include:

  • 55% of businesses reported an increase in fraud-related losses over the past 12 months, particularly account opening and account takeover attacks.
  • 60% of consumers globally are aware of the risks involved with providing their personal information to banks and retailers online.
  • Banks and insurance companies are the organizations trusted most by consumers across most regions. Online retail sites and social media sites trail considerably on trust.
  • Nearly nine out of 10 consumers report conducting personal banking as their top online activity.
  • Passwords, PIN codes and security questions remain the authentication methods most widely used by businesses, followed by document verification, physical biometrics and CAPTCHA.

Sources: Experian Study | Mobile ID World

E-Government

CA – 1.6 million Canadian Banking Records Shared with IRS

The Canadian government has shared more than 1.6 million Canadian banking records with the U.S. Internal Revenue Service (IRS) since the start of a controversial information sharing agreement in 2014 [Foreign Account Tax Compliance Act (FATCA) – overview]. In 2016 and again in 2017, the Canada Revenue Agency (CRA) provided the IRS with information on 600,000 Canadian bank accounts each year. That’s a sharp increase from the 300,000 records shared in 2015 and the 150,000 records shared in 2014, the year the sharing began. However, that doesn’t necessarily correspond to the number of people affected. Some people may have more than one bank account, while some joint accounts could have more than one account holder — including people who don’t hold U.S. citizenship. Among the items of Canadian bank account information being shared with the U.S. are the names and addresses of account holders, account numbers, account balances or values, and information about certain payments such as interest, dividends, other income and proceeds of disposition. Under the intergovernmental agreement, Canadian financial institutions transfer information on bank accounts held by people who could be subject to U.S. taxes to the CRA. In return, the IRS is supposed to send the CRA information about U.S. bank accounts held by Canadians. The CRA, however, has repeatedly refused to reveal how many records, if any, it has received from the IRS as a result of the agreement. Nor does the CRA automatically notify Canadian account holders when their information is transferred to the U.S. All this comes as the Federal Court of Canada prepares to hear a constitutional challenge of the information-sharing agreement in Vancouver. Those challenging the agreement argue that it violates sections 7, 8 and 15 of Canada’s Charter of Rights, which protect Canadians from violations of their right to life, liberty and security, unreasonable search and seizure and discrimination against those who hold U.S. as well as Canadian citizenship. In its submission [see here & here] to the court, the plaintiffs argue that some of the people whose banking records have been shared with the IRS may not be subject to U.S. taxes. [CBC News | The Post Millennial: The CRA is failing to notify Canadians that their banking records are being shared with the IRS]

CA – Thousands Affected by CRA Employees Snooping

The information of thousands of Canadians has been accessed inappropriately by Canada Revenue Agency employees. The CRA confirmed that there were 264 privacy breaches between Nov. 4, 2015 and Nov. 27, 2018. A total of 41,361 Canadians were impacted. Of those people, 37,502 were deemed to face a “low risk of injury” and weren’t contacted by CRA. The CRA said that it has notified 1,640 of the affected individuals and is in the process of sending letters to 34 more. “For a number of other reasons, 2,185 individuals were not notified,” the CRA added, pointing out that some individuals were deceased or there was no address available. Conservative national revenue critic Pat Kelly said that it’s unacceptable that information like a person’s income was accessed inappropriately. The CRA said that 182 of the 264 CRA employees who accessed data without authorization have been disciplined, 36 face a pending decision and 46 have “left” the CRA. Tobi Cohen, a spokesperson for the Office of the Privacy Commissioner, noted that the office had conducted an audit of the CRA in 2013 and that the agency claims to have “substantially or fully implemented all measures that we recommended.” “The Agency reported that it made several important improvements to its management of personal information, including introducing new policies, increasing corporate oversight and ensuring more timely assessment of privacy and security risks,” Cohen said. “The fact that unauthorized/inappropriate access by employees is still happening at all, despite the measures CRA has taken, remains an ongoing concern,” Cohen added. Deb Schulte, parliamentary secretary to the minister of National Revenue, said the government takes the matter seriously and has invested $10 million on prevention. “We now have an enterprise fraud management system that reveals every time someone is in where they shouldn’t be,” said Liberal MP Schulte. The software was implemented in 2017. [CTV News]

CA – Therrien Shares Thoughts on Privacy of Digital Government Services Study

Privacy Commissioner of Canada Daniel Therrien spoke in front of the Standing Committee on Access to Information, Privacy and Ethics to voice his views on the study of the privacy implications of the implementation of digital government services in the country. Therrien cited the government’s Data Strategy Roadmap it published in November. The road map stated data has the ability to allow the government to make “better decisions”; however, the government needs to “refresh our approach.” “I would ask you to remember that while adjustments may be desirable, any new legislation designed to facilitate digital government services must respect privacy as a fundamental human right,” Therrien said. “Modalities may change but the foundation must be solid, and that foundation must respect the right to privacy, and be underpinned by a strengthened privacy law.” [Priv.gc.ca]

CA – Joint Treasury Board-Digital Government Role Leads to Privacy Concerns

Ken Rubin writes about the conflicts of interest that have emerged from the government’s decision to merge the treasury board president role with the minister of digital government. Rubin writes the treasury board is in place to monitor government spending; however, it has spent public money to implement governmentwide data delivery. “There has not been a privacy impact assessment done by the privacy commissioner on the implications of moving to a more digital government under a combined Treasury Board/Digital Ministry,” Rubin writes. “Treasury Board, which has a lead role in privacy protection, however, can find itself in a conflict because its dual role as a digital ministry means Canadians using its services may be in for more, not fewer, privacy invasions and breaches.” [Ottawa Citizen]

EU Developments

EU – European Data Protection Board Releases Report on the Privacy Shield

On January 24, the European Data Protection Board [EDPB] adopted a report [Press Release] regarding the second annual review of the EU-U.S. Privacy Shield. In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield, including in particular the recent appointment of a permanent Ombudsperson. But the EDPB also noted that certain concerns remain with respect to the implementation of the Privacy Shield. The Report is not binding on the EU or U.S. authorities directly; instead it will serve to guide regulators considering the implementation of the Privacy Shield. The Report is also likely to influence the EU Commission’s assessment of the Privacy Shield, and to contribute to political pressure in the European Parliament to continue to reform the Shield. The Report focuses on assessment of both the commercial and government access aspects of the Privacy Shield, and presents the EDPB’s findings based on its participation in the second annual review in Brussels. On the commercial aspects, the Report acknowledges that “significant progress has been made” since the first annual review, and highlights a number of improvements (which the European Commission had also called out in its recent report on the second annual review of the Shield) [IPB post here]. The Report also recalls “remaining issues” initially raised in a 2016 Opinion by the Article 29 Working Party [EDPB’s predecessor see wiki here], which “remain valid” [see IPB post here]. Ultimately, while the Report highlights certain successes and concerns with the Privacy Shield that arose during the second annual review, many of the Report’s concerns have been raised before in other forums. And the Report acknowledges that these same concerns will likely be addressed by the European Court of Justice in challenges to the Privacy Shield pending before that Court. Inside Privacy Blog (Covington) and Privacy & Information Security Law Blog (Hunton Andrews Kurth)

EU – Google Fined €50 Million Over GDPR Violations

French data regulator CNIL has fined Google €50 million (US$ 57 million) for violations of the General Data Protection Regulation (GDPR). CNIL says that Google failed to make its data collection policies easily accessible and that it did not obtain sufficient, specific, consent for ad personalization across its services. The ruling against Google focuses on making it hard for users to understand what data is being collected and sold, as well as the basic “opt-out, if you can figure out how” philosophy that causes users to automatically give away their data when enrolling in a service and is prohibited by GDPR. [Sources: CNIL.fr | BBC | Ars Technica | ZDnet | Data Protection Report (Norton Rose) See also: GDPR Alert: Google Gets Biggest Fine Ever Issued by a European Data Protection Authority and First sanction decision rendered by the CNIL under the GDPR: GDPR awareness 2.0 has begun

EU – Advocate General Opinion Supports Limiting the “Right to be Forgotten”

On January 10, Advocate General Maciej Szpunar released an opinion [in French] recommending that Google and other search engines should not be forced to apply the EU’s “right to be forgotten” beyond the EU. This opinion is part of a long-running battle over privacy rights in the EU. In May 2014, the CJEU issued an opinion in Google Spain v. Agencia Española de Protección de Datos (AEPD), ruling … Google and similar commercial search providers could be required to remove links to personal information from search results. Commonly referred to as the “right to be forgotten,” the now-operative General Data Protection Regulation includes a right to request erasure in Article 17. Leading to the issue now before the CJEU In May 2015, the president of the French Commission nationale de l’informatique et des libertés (National Commission for Information Technology and Civil Liberties; the “CNIL”) put Google on notice that it must remove results on all of the search engine’s domain name extensions, because a Google search consists of a single process across all domains. In July 2015, Google filed an informal appeal asking the president of the CNIL to withdraw this public formal notice. In September 2015, the CNIL rejected this informal appeal. In last week’s opinion, Advocate General Szpunar proposed argued that the fundamental right to be forgotten must be balanced against other fundamental rights, including the right to data protection and the right to privacy, as well as the legitimate public interest in accessing the information sought. However, the Advocate General did acknowledge that some situations may call for worldwide erasure, though he declined to suggest it in this case. This case will test the CJEU on how to balance globally mobile data with national laws and territorial jurisdiction, and it highlights the practical difficulties of compliance. A decision from the CJEU is expected in 2019, and no final appeal is possible within the EU. The advocates general assist the judges of the Court of Justice of the European Union (CJEU), providing independent legal solutions to issues presented to the CJEU. The judges decide whether an official opinion from an advocate general is necessary. The judges are not obligated to follow an advocate general’s recommendation but often do. Sometimes the CJEU will also arrive at the same conclusion as the advocate general but through different legal analysis. Data Privacy Monitor (Baker Hostetler) and Security, Privacy and the Law: Is the Right to be Forgotten National, European or Worldwide? The Advocate General Issues an Opinion in the Google Case (Foley Hoag LLP)

UK – ICO to Investigate Google for Potential GDPR Violations

The U.K. Information Commissioner’s Office has launched an investigation into Google for potential violations of the EU General Data Protection Regulation. The ICO’s inquiry comes after France’s data protection authority, the CNIL, fined the tech company $57 million for GDPR infractions. “Following the notice of the French supervisory authority (CNIL) to fine Google, the ICO is currently reviewing the notice to consider its content and possible next steps,” an ICO spokesperson said. “The ICO is also liaising with other data protection authorities across Europe on this topic.” [ITPro]

WW – ICDPPC Releases Final Report

The final report from the 40th International Conference of Data Protection and Privacy Commissioners has been released. The report runs down both the closed and public sessions from the conference, most of which were centered on the theme of “Debating ethics: Dignity and respect in data driven life.” “We chose ethics therefore as the theme of this year’s conference, because we wanted to interrogate the notions of right and wrong around the world and across different disciplines which underpin law, technology and how people behave,” European Data Protection Supervisor Giovanni Buttarelli wrote. The report covers the keynote speech from Apple CEO Tim Cook and the panel moderated by IAPP President and CEO J. Trevor Hughes.  [EDPS]

EU – Complaints filed with DPAs Over Ad Auction Companies’ Use of Data

Representatives from the Open Rights Group, University College London and Brave have filed new evidence in their complaints on ad auction companies’ illegal use of personal data. The complainants sent their requests to the data protection authorities in Ireland, Poland and the U.K. The ad auction companies have been accused of the illicit use of sensitive data, such as users’ religious beliefs, health histories, ethnicities and sexual orientations. “Ad auction companies can fix this by simply excluding personal data, including their tracking IDs, from bid requests,” Brave Chief Policy & Industry Relations Officer Johnny Ryan said. “If the industry makes some minor changes then ad auctions can safely operate outside the scope of the GDPR. This would protect privacy, but would also protect marketers and publishers from very significant risk.” [Brave]

Facts & Stats

WW – Hackers Exposing Megaleak of 2.2 Billion Breach Records

Someone has assembled together breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity. Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a patched-together set of breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all. After accounting for duplicates, analysts at the Hasso Plattner Institute in Potsdam, Germany, found that the total haul represents close to three times the Collection #1 batch. You can check for your own username in the breach using Hasso Plattner Institute’s tool here, and should change the passwords for any breached sites it flags for which you haven’t already. As always, don’t reuse passwords, and use a password manager. (Troy Hunt’s service HaveIBeenPwned offers another helpful check of whether your passwords have been compromised, though as of this writing it doesn’t yet include Collections #2-5.) [Wired]

FOI

CA – City Staff Argue Provincial Law Prevents Sharing Open Data on Deadly Collisions

Edmonton City staff say making data about fatal and serious collisions available to the public would violate provincial privacy laws. A report going to city council’s community and public services committee [see Agenda] argues specific information about collisions cannot be made available on its open data portal because it would violate privacy rules under the Traffic Safety Act. At an October 2018 meeting, Mayor Don Iveson made a motion asking administration to explore adding that information to the city’s data catalogue. The city does share some collision information on its website, but not in a form that can be sorted or used by the public. Conrad Nobert was able to get about 10 years worth of data on collisions with pedestrians and bicycles through a freedom of information requests in 2015 [and 2016]. In 2017, however, the city refused to hand over the data. Norbert said in a recent interview: “I think whatever privacy the city is protecting is less important, frankly, than the public’s right to know where these collisions are happening because a lot of people are getting hurt and killed in our city” he said the most frustrating aspect of Edmonton citing provincial rules is that the City of Calgary has live traffic incident data in its open portal that updates every 10 minutes. The city’s transportation department tweets out basic details and locations of collisions as they occur. Other traffic safety advocates have argued for Alberta Minister of Transportation Brian Mason to make province-wide collision data available [see here]. Edmonton Journal | City against releasing details of fatal collisions publicly due to privacy concerns

Genetics

US – How at-Home DNA Kits Are Opening Up Family Secrets

An in-depth piece by The Wall Street Journal looks at the rise of at-home DNA testing kits and the effect they can have on family secrets. Sales of the DNA kits “are soaring as people seek to learn more about their roots,” the report states, but the genetic information can lead to the discovery of extramarital affairs, lost siblings and more. “Given the rapid growth of consumer genetic testing,”… “people can often be identified even if they don’t take a test themselves.” A paper published in Science last October found that more than 60% of individuals in the U.S. of European descent have a third cousin or closer in a DNA database. One of the authors of the paper said, “DNA tests can reveal that there is something odd going on. But they don’t tell you the story of what happened.” Wall Street Journal

Health / Medical

CA – New App Will Let Albertans See Their Own Health Records

Alberta Health is set to launch a new tool, in the coming weeks, that will give patients access to some of their personal health information online. The MyHealth Record portal is designed to be used on computers, tablets or smartphones and the province confirms it is in the final consultation process with physicians and other healthcare providers. According to a web page for health-care professionals, patients will be able to view some lab tests — including results for cholesterol, iron, kidney and liver function — immunization records and their medication history. Lab results are expected to come with links to information about the tests and the results. “This is really the wave of the future,” said Tom Keenan, digital security expert and professor in the faculty of environmental design at the University of Calgary. He points out Alberta Health already keeps personal health information in an electronic health record — Netcare. “All we’re really talking about here is giving you access to some of it.” “The really deep stuff — the stuff that you’ve been in the hospital and had MRIs — those are not going to be available in the public portal and I think that’s a good idea,” he said. One risk, according to Keenan, is people may panic when they see test results they don’t understand, prompting unnecessary doctors’ appointments. It’s something Alberta Health has considered. It’s promising to provide links to medical information to help explain the tests and says public-health nurses at Healthlink — the province’s health information phone line — will also be able to answer questions about information released on MyHealth Record. Alberta Health plans to add more features in the months and years after MyHealth Record is launched. CBC News

US – Apple and Aetna Teaming Up on a New App to Help Track and Reward Healthy Behavior

Apple and insurance giant Aetna have teamed up on an iPhone and Apple Watch app that provides rewards, including an option to earn a free Apple Watch, to members who engage in healthy behaviors like getting regular exercise and more hours of sleep. The new app, dubbed Attain, also provides Aetna members who sign up with nudges, such as to get an annual flu shot or take their medication on time. The two companies have been working together since 2016 on the Attain app, which will be available in the spring of this year. Apple has also made clear that health care is a key area of future growth. The company has a variety of health-related initiatives in progress, ranging from software to collect medical information to biomedical sensors. Earlier this month, Apple’s CEO Tim Cook told CNBC’s Jim Cramer: “I believe, if you zoom out into the future, and you look back, and you ask the question, “What was Apple’s greatest contribution to mankind?” It will be about health.” Understanding that some users may be skittish about sharing personal health information, Apple and Aetna are making privacy a priority. Apple executives have often stressed that the company user privacy very seriously. In this case, members’ data is encrypted in transit and at rest, and Apple has said it will not access data that uniquely identifies an individual. For its part, Aetna said that it won’t use the data gathered from the Apple Watch to make coverage decisions, including to increase monthly premiums. [CNBC]

US – Companies Selling ‘Risk Scores’ on Patients With Opioid Risks

Information is being sold to doctors, insurers and hospitals to identify patients who may be at risk of opioid addiction. The data is packaged as a “risk score” and is normally done without a patient’s consent. Companies have been able to gather information from insurance claims, digital health records, housing records and data from a patient’s friends and family. While the risk scores are used to help doctors make informed decisions when they prescribe opioids, patient advocates are concerned the data will be used to prevent patients from getting the medication they need. [Politico]

US – HHS Opens Public RFI to Improve HIPAA Privacy Rule

The U.S. Department of Health and Human Services’ Office for Civil Rights has released a Request for Information on the best ways to improve the Health Insurance Portability and Accountability Act Rules in order to improve care via increased data sharing. The agency will accept public comment on aspects of the HIPAA Privacy Rule, such as the facilitation of parental involvement in care and the disclosures of personal health information for treatment and payment. “We are committed to pursuing the changes needed to improve quality of care and eliminate undue burdens on covered entities while maintaining robust privacy and security protections for individuals’ health information,” OCR Director Roger Severino said. All public comments must be submitted by Feb. 12. [HHS]

WW – Women’s Health Apps Fail to Meet Privacy Standards

Over the past few years, the period-tracking app market has grown by at least $350 million. Despite handling personal health data, the article highlights that the apps are not held to the same privacy standard as health care organizations. “Barring some form of regulation, the market is likely to keep sliding toward ever-more-intensive data mining.” [Bloomberg Businessweek]

US – HITRUST Announces New Framework

The HITRUST Alliance announced it is expanding its framework to now include the EU General Data Protection Regulation and the Singapore Personal Data Protection Act, describing the new model as a “one framework, one assessment.” HITRUST officials also announced the alliance has submitted a formal application with the EU’s Data Protection Board and the Irish Data Protection Commission to have its HITRUST CSF recognized as a standard for GDPR certification. It was also announced that HITRUST is exploring the process for becoming an Accountability Agent under the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules and Procedures for Processing programs. [Healthcare IT News]

US – Insurers’ Access to Medical Data Criticized as Privacy Breach

Insurance companies often require applicants to sign over “full authority” to view their medical records for claims and cover application, causing some to argue the consent grants access to a far greater amount of data than necessary. Josh Mennen from the Australian Lawyers Alliance has called for the “open-ended” access to end, adding, “We believe that it is appropriate to limit the period in which an insurer can go back through medical records to five years.” He also argues that the insurance industry should be required to inform patients of the information obtained under their consent. He adds, “the law and insurance practices do not strike the right balance.” [ABC News]

Horror Stories

WW – 126% Increase in Exposed Consumer Data, 1.68 Billion Email-Related Credentials

The Identity Theft Resource Center and CyberScout, have released the 2018 End-of-Year Data Breach Report. The number of U.S. data breaches tracked in 2018 decreased from last year’s all-time high of 1,632 breaches by 31% (or 1,244 breaches), but the reported number of consumer records exposed containing sensitive personally identifiable information jumped 126% from the 197,612,748 records exposed in 2017 to 446,515,334 records this past year. Another critical finding was the number of non-sensitive records compromised, not included in the above totals, an additional 1.68 billion exposed records. While email-related credentials are not considered sensitive personally identifiable information, a majority of consumers use the same username/email and password combinations across multiple platforms creating serious vulnerability. “When it comes to cyber hygiene, email continues to be the Achilles Heel for the average consumer,” said CyberScout founder and chair, Adam Levin. “There are many strategies consumers can use to minimize their exposure, but the takeaway from this year’s report is clear: Breaches are the third certainty in life, and constant vigilance is the only solution.” Identity Theft Resource Center | On Data Privacy Day, here’s a reminder that you have none Or at least very little

Identity Issues

US – Louisiana Introduces Digital Driver’s Licenses

Drivers in the US state of Louisiana now have the option of obtaining a digital driver’s license, or DDL. Louisiana’s DLL launched in July 2018. While law enforcement will accept the DDL as a valid identification document, other entities, such as retail stores are not required to accept it. Louisiana’s DDL is not currently accepted by TSA. Several other US states are in various stages of developing similar systems. Digital Drivers Licenses are in various stages of development in several states, including Iowa, Idaho, Colorado, Maryland and the District of Columbia, but none has a statewide rollout. The piloted security features explored include remote revocation by the DMV, encryption at rest/transit and biometric authentication to access the license or transmission of that information. As the states are using different solution providers including Gemalto and IDEMIA, interoperation and equivalent protections are going to be key. Source: Govtech

WW – Digital Drivers Licenses Expose Citizens to Hackers and Abuse: Critics

The world’s largest biometrics surveillance company wants to add your driver’s license photo to its digital library, which already has collected and processed some 3 billion faces. Idemia, based in Paris, is at the center of a push to create digital driver’s licenses, also known as mobile driver’s licenses, that could allow motorists to flash an app on their smartphones — instead of showing traditional plastic ID cards — to prove they can drive, vote or drink beer. Idemia systems are responsible for issuing traditional licenses in 42 states that account for 80% of all U.S. drivers. Idemia is a multinational company that has partnered with U.S. security and law enforcement agencies for decades to provide multilevel data-gathering, including fingerprinting, airport security and facial recognition technologies. But massive data breaches such as those at Facebook and Equifax have put Idemia under scrutiny, especially among privacy and digital rights groups. Critics say the company is vulnerable to hackers and government abuse as it fosters an “Orwellian vision” of a monitored society in which privacy and civil liberties yield to intrusion in the name of public safety and security. Idemia’s U.S. headquarters is in Reston, Virginia. Information that the company collects every day flows into databases at the Departments of Defense and Homeland Security and the FBI, where millions of personal, biographic and biometric files are kept on Americans and foreigners. Critics of the company say it’s unclear how long Idemia stores data because so many details are categorized as “classified” or too sensitive to national security to be made public. According to the Center on Privacy and Technology at the Georgetown Law Center, most adult Americans are already in a facial recognition database because of how governments format driver’s licenses and passport photos for such use. The center notes that 31 states currently allow law enforcement to search driver’s license image databases with facial recognition software. Jennifer Lynch, director of surveillance litigation for the Electronic Frontier Foundation, a San Francisco-based digital rights group, warned that too few federal and state regulations sufficiently govern police use of facial recognition technology and that poor data management and “a high rate of misidentifications” have plagued agencies such as Homeland Security. She noted that the department’s inspector general recently criticized the office of biometric identity management for failing to train personnel properly and for relying too heavily on third-party data collectors. In an interview, Ms. Lynch said Idemia poses a threat because of its position at the center of so many government databases. Idemia now is pushing for mobile driver’s licenses as a form of universal digital ID. According to industry reports, Idemia is working with 38 state driver’s license programs and that much of the work focused on mobile versions using facial recognition technology to unlock access to the app. Police say mobile driver’s licenses connected to a central database could make their work safer and easier because updates could provide information about a motorist’s license suspension, change of address or outstanding tickets and warrants. Civil liberties advocates worry that multiple state mobile driver’s license programs could morph into a de facto national ID system without any significant public debate. Source: Washington Times

Internet / WWW

US – Facebook Hires Privacy Policy Managers

In an attempt to improve its less than stellar record on privacy, Facebook has hired several people who have been critical of the company’s practices. In December, Facebook hired Nathan White, formerly senior legislative manager for Access Now, to be the company’s privacy policy manager. Earlier this week, Facebook announced that it has hired lawyers Robyn Greene and Nate Cardozo, formerly senior policy counsel at New America’s Open Technology Institute and senior information security counsel at the Electronic Frontier Foundation (EFF), respectively. Cardozo will be the WhatsApp privacy policy manager; Greene will be privacy policy manager for law enforcement and data protection. Facebook has also hired Bijan Madhani as its privacy and public policy manager; Madhani was formerly senior policy counsel at the Computer & Communication Industry Association. Sources: Wired: | Cyberscoop | Meritalk

WW – Google’s Proposed Changes to Chrome Extension APIs Could Break Ad Blockers

Google’s proposed changes to its Chrome browser would break content-blocking extensions. This includes ad blockers. The potential changes will limit the capabilities of extension developers. The proposed changes would also affect antivirus browser extensions, parental control extensions, and others. A Google software engineer notes that “this design is still in a draft state, and will likely change.” [ZDnet | Wired | The Register | The Register]

Law Enforcement

CA – Sask. Police Reflect on First Year Under New Access and Privacy Laws

Saskatchewan’s The Local Authority Freedom of Information and Protection of Privacy Amendment Act, 2017 (LAFOIPP) came into effect on Jan. 1, 2018. Since then, police agencies subject to freedom of information requests and the public is taking advantage of it, with more than 400 requests made to police in five Saskatchewan cities in 2018. The Saskatoon Police Service received a total of 275 information requests in 2018. Of those, 36 were granted in full, 132 were disclosed in part (parts were redacted), 17 brought up no responsive records and 10 were withdrawn by the applicant. Eighteen of the requests were from media, five from researchers and three from associations, groups or businesses. The rest were made by individuals or individuals represented by legal counsel. Smaller police services experienced considerably fewer requests, but some of those requests took exceptional resources to fulfill. Saskatchewan Information and Privacy Commissioner Ronald Kruzeniski said the transition and implementation of the new amendments has gone relatively smoothly. Kruzeniski said one of the biggest challenges has been around the naming — or not naming — of homicide victims in Regina. After the amendments to LAFOIP, the Regina Police Service (RPS) said they would not be automatically releasing the names of homicide victims. The decision triggered backlash from local media and was quickly reversed as the RPS sought insight from Kruzeniski’s office and consulted with media. As it stands now, the RPS will release names on a case-by-case basis. Kruzeniski anticipates similar challenges may arise if the Saskatchewan government follows through on a plan to implement Clare’s Law, which would allow police to disclose records of potentially abusive partners. He also expects more issues will arise as the amendments play out over a second year. [Regina Leader-Post | Saskatoon police disclosed personal information to Legal Aid without consent: Privacy Commissioner | Prof taking U of R to court over denied freedom of information request]

Location

WW – Google’s Sidewalk Labs Plans to Package and Sell Location Data on Millions of Cellphones

A new initiative from Sidewalk Labs, the city-building subsidiary of Google’s parent company Alphabet known as Replica, offers planning agencies the ability to model an entire city’s patterns of movement. Like “SimCity“ [a city-building video game] Replica’s “user-friendly” tool deploys statistical simulations to give a comprehensive view of how, when, and where people travel in urban areas. In recent months, transportation authorities in Kansas City, Portland, and the Chicago area have signed up to glean its insights. The only catch: They’re not completely sure where the data is coming from. Replica uses real-time mobile location data. As Nick Bowden of Sidewalk Labs has explained, “Replica provides a full set of baseline travel including the total number of people on a highway or local street network, what mode they’re using (car, transit, bike, or foot), and their trip purpose (commuting to work, going shopping, heading to school).” The program gathers and de-identifies the location of cellphone users, which it obtains from unspecified third-party vendors. It then models this anonymized data in simulations — creating a synthetic population that faithfully replicates a city’s real-world patterns but that “obscures the real-world travel habits of individual people,” as Bowden told The Intercept. The program comes at a time of growing unease with how tech companies use and share our personal data — and raises new questions about Google’s encroachment on the physical world. The New York Times revealed how sensitive location data is harvested by third parties from our smartphones — often with weak or nonexistent consent provisions. A Motherboard investigation in early January further demonstrated how cell companies sell our locations to stalkers and bounty hunters willing to pay the price. The Google sibling’s plans to gather and commodify real-time location data from millions of cellphones adds to these concerns. An Associated Press investigation showed that Google’s apps and website track people even after they have disabled the location history on their phones. Quartz found that Google was tracking Android users by collecting the addresses of nearby cellphone towers even if all location services were turned off. The company has also been caught using its Street View vehicles to collect the Wi-Fi location data from phones and computers. However, Sidewalk Labs maintains it has instituted significant protections to safeguard privacy, before it even begins creating a synthetic population. Any location data that Sidewalk Labs receives is already de-identified (using methods such as aggregation, differential privacy techniques, or outright removal of unique behaviors). Some urban planners and technologists … remain skeptical about these privacy protections A landmark study uncovered the extent to which people could be re-identified from seemingly-anonymous data using just four time-stamped data points of where they’ve previously been. There are also lingering questions about how Sidewalk Labs sets limits about the type and quality of consent obtained. A document from the Illinois Department of Transportation describes Replica’s data sources as “mobile carrier data, location data from third-party aggregators and Google location data, to generate travel data for a region.” This data sample, it adds, “is not limited to Android devices” and “is collected from individuals for months at a time, allowing for a complete picture of individual travel patterns.” The Intercept | Related: Location tracking is here to help real estate developers get even richer | 15 senators demand FCC, FTC investigate carriers selling location data

Online Privacy

WW – Apple Revokes Facebook and Google Developer Certificates Because They Used Them to Collect User Data

Facebook paid adults and teenagers to install a data-slurping iOS app using their enterprise certificate, bypassing the Apple App Store and requisite security checks. Apple had previously banned the application from the App Store for violating their data privacy rules. The app allows Facebook to see virtually everything a user does on the device. Apple states that distribution of the application for consumer research violates the terms of their enterprise development license. Google used a similar application to collect user and device data on iOS devices. Google acknowledged their mistake and disabled the application before Apple revoked its enterprise certificate. Both the Facebook and Google app are still available on Android. [Wired | The Register | Ars Technica | CNet | ZDnet | The Verge]

US – Report Finds Friends Have a Lot to Do With Personal Privacy

A report from the University of Vermont and University of Adelaide found it is possible to predict what a person would post on social media with 95% accuracy, even if the person did not have an account. The discovery was based solely on what a person’s friends posted and looked at more than 30.8 million tweets from 13,905 accounts. “You alone don’t control your privacy on social media platforms,” University of Vermont Professor Jim Bagrow said. “Your friends have a say too.” [CNET]

Other Jurisdictions

WW – New Map Sheds Light on Global Data Protection

In honor of Data Privacy Day, the United Nations Conference on Trade and Development released an interactive map tracking data protection laws across the globe. The Global Cyberlaw Tracker identifies e-commerce legislation, including e-transactions, consumer protection, data protection/privacy, and cybercrime adoption across the 194 member states. While only 58% of the world’s countries have data protection and privacy legislation in place, an additional 10% has drafted legislation currently in the works. [Fast Company]

Privacy (US)

US – Concerns Raised Over Practice of Student Data Collection

Universities are using student data to help determine “demonstrated interest.” The data is used to help inform enrollment officers if an applicant is considering whether to attend by analyzing information such as email opening rates, link clicking, and RSVPs versus attendance to online events. Privacy advocates have raised concerns over the practice. “It feels like surveillance and I don’t think it’s a healthy thing for schools to do,” Common Sense Media Founder and CEO James Steyer said. “Universities should not take privacy rights for granted.” [The Wall Street Journal]

US – Judge Disagrees with Facebook’s Harm Argument in Privacy Case

U.S. District Judge Vince Chhabria disagreed with an argument made by Facebook as the tech company attempts to have a multidistrict privacy case dismissed. Facebook lawyers said the company cannot be sued for third parties that accessed users’ private data since no “real world” harm took place from the arrangement due to users allowing third parties to obtain the data through their privacy controls. Chhabria disagreed with Facebook’s position. “The injury is the disclosure of private information,” said Chhabria, who called the wording Facebook used in the privacy controls “quite vague.” Meanwhile, the Irish Data Protection Commission warned Facebook about the privacy issues it faces in its attempt to merge its messaging apps. [Courthouse News Service]

Privacy Enhancing Technologies (PETs)

WW – New Tech Aims to Add Transparency to Privacy Notices

In a news release, PrivacyCheq announced the release of Privacy Facts Interactive, a new privacy service designed to inform users about privacy notices and fulfill transparency requirements established by the EU General Data Protection Regulation. “Realizing that mobile devices are now the dominant method used to access content, we completely redesigned the privacy notice for optimal use on mobile devices, using the ‘Nutrition Facts’ paradigm that consumers already understand,” PrivacyCheq CEO Roy Smith said. Editor’s Note: The IAPP Privacy Tech Vendor Report lists more than 150 vendors. [Press Release]

RFID / Internet of Things

US – FPF Releases Paper on IoT-Device Privacy for People With Disabilities

The Future of Privacy Forum has released a new paper called, “The Internet of Things and People with Disabilities: Exploring the Benefits, Challenges, and Privacy Tensions.” It includes recommendations for approaches to incorporate privacy and accessibility by design. FPF CEO Jules Polonetsky said, “Internet of things devices in homes, cars and on our bodies can improve the quality of life for people with disabilities — if they are designed to be accessible and account for the sensitive nature of the data they collect. We expect this first-of-its-kind paper to inspire collaboration among advocates, academia, government, and industry to ‘bake in’ privacy and accessibility from the start of the design process.” Full Story

Security

WW – Report: Data Breaches and Cyber Attacks in Global Risks List Top Five

The World Economic Forum’s (WEF’s) Global Risks Report 2019 places large-scale cyber attacks and mass incidents of data theft at the top of the list of global risks, alongside natural disasters and climate change. The report notes the risk that cyberattacks pose to critical infrastructure, and well as rising concerns about identity theft and the erosion of privacy. [Source: ZDnet | Weforum.org | www3.weforum.org]

Smart Cities

CA – NDP MP Calls Government to ‘Push the Pause Button’ on Sidewalk Labs

In a January 11th, 2019 letter to Infrastructure Minister François-Philippe Champagne, NDP Member of Parliament Charlie Angus addresses Ontario’s auditor general’s report which had concerns that the project coordinators and organizers didn’t consult anyone from different levels of the government and instead quietly discussed the project with senior political staff [full report see Ch.3 sec. 3.15 “Water Front Toronto“] In his letter Angus states: “Having a project of this scale pushed through by political staff behind the scenes would be wildly inappropriate. Your government needs to be clear about exactly how this deal was arrived at, particularly the role of several ministerial staffers who have gone on to work directly for Sidewalk Labs.” Angus noted that the lack of transparency surrounding the size of the project is “worrying.” The suggested plan is to construct the smart city within a 12-acre plot of land on Waterfront in downtown Toronto. But Angus said that images of what the site looks like make it seem as if designated project would take over the entire of Waterfront Toronto. Privacy concerns around the project have also been a highly contentious topic, which Sidewalk Labs has yet to detail to the public. Angus, who is also the co-chair of the House of Commons Standing Committee on Access to Information, Privacy and Ethics, also noted that the Liberal government doesn’t make a clear distinction between Google and Sidewalk Labs, especially when it comes to the company lobbying. He said that the deal seems to look more like a “plan cooked up with American lobbyists to benefit Google,” adding that Champagne’s failed in his leadership to alleviate growing concerns towards the project. Betakit | If done properly, smart cities hold promise in improving quality of life, says information and privacy commissioner | Sidewalk Labs is set to transform Toronto. It’s starting with its own office | The CRA is failing to notify Canadians that their banking records are being shared with the IRS

+++

 

16 – 23 January 2019

Biometrics

US – New York City Bill Requires Biometric Use Transparency

Int. No. 170, a local law requiring businesses to notify customers of the use of biometric identifier technology was introduced in the New York City Council. Commercial establishments that collect, retain, convert, store or share biometrics must disclose such use by placing a clear and conspicuous sign in all entrances (in a form and manner prescribed by the Commissioner), and post online the period of retention, the kind of biometrics collected, any privacy policy governing the use of biometrics, and whether biometrics are shared with third parties. The Law takes effect 180 days after it becomes Law. [Int. No. 170 – A Local Law Requiring Businesses to Notify Customer of the use of Biometric Identifier Technology – New York City Council]

Big Data / Data Analytics / Artificial Intelligence

EU – EU Working Group Urges Organizations to Assess AI Systems

The EU Commission’s working group on artificial intelligence issued draft ethics guidelines for processing personal data through AI. To comply with the GDPR, businesses must be mindful of having a legal basis for processing personal data; while existing law may warrant application of some AI systems (e.g., for money laundering and terrorist financing), the default assumption should be that consent has not been given to be identified (including re-identification from anonymised data). [EC – Draft Ethics Guidelines For Trustworthy AI]

Canada

CA – OIPC AB Asks Government to Protect Citizens’ Data from Political Parties

Alberta Information and Privacy Commissioner Jill Clayton has asked the provincial government to consider alterations to its Personal Information Protection Act to safeguard citizens’ data from political parties. Clayton said even the most basic requirements for political parties’ use of data would be a step in the right direction. Service Alberta Spokesperson Annalise Klingbeil said in an email the government has looked at Clayton’s request. “You would have a right to go to a private sector company and say, ‘What do you have about me, and where did you get it and stop using it and stop disclosing it or, more importantly, safeguard it, and tell me if there is a breach.’ But none of that applies (with political parties),” Clayton said in an interview with Postmedia. [Edmonton Journal]

CA – OIPC NL: More Work on Surveillance Needed by Newfoundland Schools

The OIPC Newfoundland and Labrador reviewed the use of video surveillance in provincial schools and school buses, pursuant to the Access to Information and Protection of Privacy Act. An audit by the OIPC found that the school district did not demonstrate an overarching authority to collect PI via video surveillance, and not all schools have any or enough signage; recommendations include to complete a template for exterior signage (currently in development), and in the absence of general authority, discontinue the installation of new cameras in existing schools. [OIPC NFLD – The Use of Video Surveillance in Schools and on School Buses

CA – Canadian Association Explores GDPR Impacts on Businesses

The Canadian Chamber of Commerce issues a report on how nations are reacting to the use and abuse of personal information through privacy legislation. Canadian businesses identified as unintended consequences of the GDPR job complexity, costs of ensuring compliance, risk of losing valuable data through compulsory retention and deletion, data localization restrictions, and reduced ability to be competitive; changes to Canada’s regulatory framework must consider both privacy and economic factors. [A Data Deficit – The Risk of Getting it Wrong – Canadian Chamber of Commerce]

CA — Ontario Court Finds Online Post by Law Enforcement Defamatory

The Court considered a request for dismissal by police services and Crime Stoppers of an individual’s claim for defamation and negligence. The police services and Crime Stoppers posted an image of an individual along with a description which suggested that she was guilty of a purse snatching; generally words suggesting that a person is guilty of a criminal act are defamatory as they tend to lower the person’s reputation, and the message was communicated to other persons (on Crime Stoppers’ webpage). [Gabrielle Roy v. Ottawa Capital Area Crime Stoppers et al. – 2018 ONSC 4207 CanLII – Ontario Superior Court of Justice]

CA – OIPC AB Finds Increased Likelihood of Harm

The Office of the Information and Privacy Commissioner of Alberta was notified by a human resources service company of unauthorized access to personal information, pursuant to the Personal Information Protection Act. A company was subject to a targeted email phishing attack that resulted in email accounts of two employees being accessed and used by a third party to send out further phishing emails; there is an increased risk of harm as identity information can be used for harms of identity theft and fraud, and employment information can be used to cause hurt, humiliation and embarrassment. [OIPC AB – Breach Notification Decision – P2018-ND-156 – Morneau Shepell Ltd]

Consumer

WW – Majority of Facebook Users Unaware of Data Algorithms for Targeted Ads

A survey conducted by the Pew Research Center found the majority of Facebook users do not know the platform uses algorithms to collect their information for targeted ads. Of the 963 U.S. Facebook users polled, 74% said they were unaware Facebook tracked a list of their interests and traits for their “Your ad preferences” page. When asked how they felt about the ad preferences page, 51% said they were not comfortable with the practice. While 59% of users said the findings on the ad preference page were accurate, 27% said the listings were not a proper representation of their interests. [Full Story]

E-Government

US – Audit Found Illegal Data Sharing at Utah Driver License Division

A state audit found that the Utah Driver License Division is illegally sharing personal data with five government agencies. The data is reported to include Social Security numbers, birthdates, physical characteristics, addresses and license numbers. The audit notes that state law bans the sharing of personally identifiable information “except in the interest of public safety or as specifically authorized in statute.” In response, the Driver License Division claimed the law can be interpreted differently and plans to ask for clarification from the Legislature. [U.S. News & World Report]

E-Mail

CA – CRTC Addresses CASL Consent Exemptions

The Canadian Radio-television and Telecommunications Commission updated its FAQ’s for compliance with Canada’s Anti-Spam Legislation (CASL). CASL does not apply to commercial electronic messages sent to limited access, secure confidential accounts (where communications are only one way and sent by the entity who provided the account), market research or surveys with no commercial content (do not engage in commercial activity under the guise of a survey) or employment recruitment messages (unless there is an option to subscribe to notification of future opportunities). [CRTC – FAQs about CASL]

Electronic Records

US – National Institutes of Health Expands Data-Collection Efforts

The U.S. Department of Health and Human Services’ National Institutes of Health announced the All of Us Research Program has launched the Fitbit Bring-Your-Own-Device project, which will enable participants to share health information with researchers to help aid discovery and broaden the program’s data-collection efforts. “Collecting real-world, real-time data through digital technologies will become a fundamental part of the program,” All of Us Research Program Director Eric Dishman said. “This information, in combination with many other data types, will give us an unprecedented ability to better understand the impact of lifestyle and environment on health outcomes and, ultimately, develop better strategies for keeping people healthy in a very precise, individualized way.” [AllOfUs]

EU Developments

EU – Political Parties Face Fines for Data Misuse Under New EU Rules

The European Parliament and European Union member states have agreed to a new set of rules to curb the misuse of personal data to influence elections. Any political party found to have used personal information to influence voter behavior can now be fined under the new law. All EU institutions have approved the law, but Parliament and Council must still formally adopt the final text. “We expect European political parties to fully respect the rules, so that Europeans can cast their vote being fully and fairly informed during the campaign,” EU Justice Commissioner Věra Jourová said on Twitter. [Politico]

UK – UK Passes Regulations Requiring Retention of Communications Data

The UK passed The Data Retention and Acquisition Regulations 2018, related to information about communications data. The Regulations amend the current retention regime to conform to EU law, requiring telecoms and postal operators to retain and disclose communications data for purposes of national security, public safety, or to prevent death or injury; an authorisation may relate to data not yet in existence, or used by another telecom in relation to the same telecommunications system. [The Data Retention and Acquisition Regulations 2018 – 2018 No. 1123 – UK Government]

EU – German DPA Advises on Controller Restrictions for DPOs

The Data Protection Authority in the German province of Baden-Wurttemberg guidance on data protection officers, pursuant to the GDPR. Internally appointed DPOs should not have other positions with conflicts of interest (CEO, IT head, HR director, authorised signatory), do not instruct DPOs to come to specific decisions about processing activities, and they cannot be dismissed or disciplined for performing their designated duties; they should focus on more risky processing activities, and can be consulted on DPIA issues (methodology to follow, if the DPIA has been carried out correctly). [DPA Baden-Wurttemberg – DPO Practice Guide (in German)]

EU – DPA Belgium Publishes Form for Breach Reporting

The Data Protection Authority in Belgium process for reporting data breaches, pursuant to article 33 of the GDPR. A comprehensive form has been provided that can be downloaded, electronically completed, and submitted via the DPA’s web portal; form contents include breach details (nature of the breached data, processing affected, number of affected individuals), preventive measures that will be taken (e.g. remote wipe, hashing, password change), and details of the assessment used to determine risks to affected individuals’ rights and freedoms. [DPA Belgium – Notification Form of a Data Breach: Electronic Portal |  Form Instructions ]

FOI

CA – Nova Scotia Transportation Department Will Not Fulfill Tully’s Request on Ferry Operator’s Fees

The Nova Scotia Opposition Progressive Conservatives party wrote in a letter the Transportation Department will not fulfill a request made by Privacy Commissioner Catherine Tully on the management fees and bonuses paid to the private operator of a ferry that travels from Yarmouth to Maine, the Vancouver Sun reports. Deputy Minister Paul LaFleche said the department has no plans to honor Tully’s inquiry. “There is a legitimate public interest in protecting the confidential commercial information of third-party businesses,” LaFleche wrote. Tully said she was not surprised by the response. “We’ve seen a pattern as I reported in my annual report over the past year or two, where the government has been quite frequently rejecting recommendations for further disclosure that I make,” Tully said. [Vancouver Sun]

CA – Coalition Calls for Update to Nova Scotia Laws in Response to FOI Breach

The Right to Know Coalition has released a report on the Nova Scotia freedom-of-information data breach. After more information about the breach was released by the privacy commissioner of Nova Scotia, Right to Know Coalition President Michael Karanicolas said the breach had a wider scope than initially reported. Karanicolas added the province’s privacy laws need to be updated. “We have [25-year-old] laws that date from just a couple years after the commercial internet was established and have not been updated since then,” Karanicolas said. “We need a [21st-century] approach to the problem.” [Halifax Today]

Genetics

US – Researchers Propose Patient-Driven Genetic Data Sharing

Forbes reports on an effort to change the way in which companies are changing ways to sell genetic tests and store patient data react to patients’ requests for their personal data. Citing instances when patients had difficulty collecting their own genetic data from companies, the article points to a study addressing a frustration among cancer researchers, which is that despite the abundance of voluntary data, most is unusable due to how data sharing is enabled across platforms. In the study, researchers troubled by finding a comprehensive data set have proposed a “patient-driven cancer genome collective to directly address this need and empower data liberation and donation to advance cancer research and patient empowerment.” [Forbes]

Health / Medical

CA – Disclosure of PHI Necessary to Defend Claim

The Ontario Human Rights Tribunal considered whether the transit company can obtain personal health information of an employee in a discrimination case. The Human Rights Tribunal ordered the disclosure of an employee’s PHI to her employer for the purpose of responding to, and defending against a discrimination claim regarding the employee’s disability; the PHI can be disclosed to potential witnesses who may be called upon to give evidence (they must be reminded to keep the information in strict confidence), and only PHI necessary to facilitate a response can be used. [Cameron v. Toronto Transit Commission – 2018 HRTO 1862 CanLII – Human Rights Tribunal of Ontario]

CA – Woman Says Sexual Trauma History Leaked in Nova Scotia FOI Data Breach

A woman who was a victim of the Nova Scotia government’s freedom-of-information website data breach has spoken out after she discovered information on the sexual trauma she suffered as a child was leaked in the incident. The woman said she originally received nearly 300 pages of documents in February 2018 about her ordeals, about two months before she was informed her data was compromised in the FOI website breach. “The nature of my request had already been about sexual trauma, so for them to post that for the world to see was further victimization,” the woman said. McInnes Cooper Partner David Fraser said Canadian courts have previously awarded financial compensation for data breach victims who have been affected by psychological harm. [CBC News]

CA – Privacy Concerns Surround Streamed Video of Newborn Seized From Winnipeg Hospital

A video was posted of child welfare officials who seized a newborn child from Winnipeg’s St. Boniface Hospital. The uncle of the mother streamed the incident as Winnipeg Child and Family Services officials took the child. Fearless R2W Coordinator Mary Burton said the video could expose the family to judgment from viewers who do not know the circumstances behind the moment; however, she notes it can also shine a light on these types of seizures. Manitoba’s Child and Family Services Act prohibits the publication of any identifying information about individuals involved with Child and Family Services. [CBC News]

CA – OIPC PEI Releases Report on Health PEI breach

Prince Edward Island Information and Privacy Commissioner Karen Rose released her report on Health PEI’s response to the discovery of a former employee who illicitly accessed the records of 353 patients. Rose noted Health PEI does carry out random audits of employees to determine how they access the system; however, she deemed the audits inadequate after it was revealed the employee continued their inappropriate behavior for three years. “There is room for improvement in their auditing process, for better detection of snooping,” Rose wrote in the report. “I recommend that Health PEI conduct a careful analysis of its auditing process.” [CBC News]

US – New York Enforces Prescription Privacy

Assembly Bill 73, amending the Public Health Law in relation to prescription privacy, has been filed for introduction in the New York Legislature: If passed, healthcare providers (including pharmacists, insurers, or drug manufacturers) shall be prohibited from disclosing, selling, transferring, providing or using any patient individual identifying information to any entity for marketing purposes; exceptions include payment or reimbursement for health care services (e.g. medical necessity or utilization review), and health research purposes (conducting clinical trials to review effects of prescribing services). if passed, the bill will take effect within 180 days. [AB 73 – An Act to Amend the Public Health Law in Relation to Prescription Privacy]

Horror Stories

US – Data Breach Exposes 7 Years of FBI Information

Three terabytes of unprotected data from the Oklahoma Securities Commission were discovered by a researcher with cybersecurity firm UpGuard. The data included millions of files, much of which contained sensitive U.S. Federal Bureau of Investigation information dating back seven years, as well as emails dating back 17 years and personally identifiable information. A spokesperson for the FBI said, “Adhering to Department of Justice policy, the FBI neither confirms nor denies any investigation.” Charles Kaiser, a spokesperson at the commission, said, “This matter is under investigation and the department has no further comment at this time.” Meanwhile, Mashable reports hackers recently exposed more than 87 gigabytes of passwords and email addresses. [Forbes]

Location

US – House Republicans Press Telecoms for Geolocation Answers

Following the discovery of telecoms’ sale of geolocation data, House Energy and Commerce Committee ranking member Greg Walden, R-Ore., along with three other Republican committee members, has sent letters to T-Mobile, AT&T, Sprint and Verizon, asking the companies to explain the privacy policies concerning location-based information and services. The lawmakers also sent letters to Zumigo and MicroBilt, asking that the companies identify all commercial relationships with both U.S. and foreign wireless carriers. In a statement, the lawmakers said, “We are deeply troubled because it is not the first time we have received reports and information about the sharing of mobile users’ location information involving a number of parties who may have misused personally identifiable information.” [Bloomberg Law]

Online Privacy

US – NYT Changes Its Ad Game Following GDPR

The New York Times has undertook changes to its advertising practices to handle the EU General Data Protection Regulation. After the GDPR went into effect, the Times decided to prohibit the purchases of open-exchange advertisements on its European pages, as well as any form of behavioral targeting. New York Times International Senior Vice President for Global Advertising Jean-Christophe Demarta said the organization now places its efforts on contextual and geographical targeting and privacy marketplace deals. “The fact that we are no longer offering behavioral targeting options in Europe does not seem to be in the way of what advertisers want to do with us,” Demarta said. “We have not been impacted from a revenue standpoint, and, on the contrary, our digital advertising business continues to grow nicely.”[Digiday]

Privacy (US)

US – Advocacy Groups Release Proposal for New Data Protection Agency

A coalition of advocacy groups has released a proposal to create a federal data protection agency to regulate businesses’ use of personal data. The new agency would supplant the Federal Trade Commission in terms of enforcement capabilities. “Privacy advocates are fed up with the FTC and with Washington failing to reign in the immense power the big data giants hold,” Center for Digital Democracy Executive Director Jeffrey Chester said. The groups’ proposal clashes with the Information Technology and Innovation Foundation’s plan to give the FTC more enforcement authority, as well as create a single U.S. privacy law. [ABC News]

US – FTC and FCC Called on to Enforce Privacy Regulation

Public Knowledge has called on the U.S. Federal Communications Commission and the U.S. Federal Trade Commission to enforce customer privacy network information regulation following a report that found a California VoIP provider left millions of text messages and call records on an unsecured database for months. The article states that Public Knowledge Senior Vice President Harold Feld called for the FTC and FCC “to get off the privacy sidelines and into the game.” Due to the government shutdown, a spokesperson for the FCC was unable to comment, saying it was “beyond the scope of allowable activities.” [Multichannel News]

US – Opinion: DeID, Pseudonymization, Aggregation, and the CCPA

The California Consumer Privacy Act is notorious for the haste with which it was drafted. Many provisions of the statute require clarification, and the attorney general’s office is holding a series of public forums before issuing clarifying regulations. Among the concepts not well defined by the CCPA are deidentification, pseudonymization and aggregation. In this piece for Privacy Tracker, IAPP Westin Fellow Mitchell Noordyke takes a look at some of the challenges the CCPA creates with its imprecise language regarding these topics and points out some of the limited benefits the CCPA offers a business for each type of data treatment technique. [IAPP.org | Privacy, trust and My Health Record]

US – Google Asks Judge to Dismiss COPPA Lawsuit

Google asked a federal judge to dismiss a lawsuit that accuses the company of violating the federal Children’s Online Privacy Protection Act by including apps developed by Tiny Lab in Google Play’s Designed for Families program. According to papers filed last week, the company argues it is not responsible for any violation of the law, adding, “Google Play is merely a platform for the sale or distribution of apps and the Federal Trade Commission — the agency charged with rulemaking and enforcement under COPPA — has made clear that COPPA does not apply to such platforms.” [MediaPost]

US – SCOTUS Case to Look at Art. III Standing, Identifiable Information, Concrete Harm

A case currently making its way through the Supreme Court’s docket may have far-reaching implications for the future of privacy litigation. While the case, Frank v. Gaos, concerns cy pres class-action settlements and their appropriateness, another issue has captured the court’s attention: Article III standing, and, specifically, whether the plaintiffs in the case pleaded sufficient concrete harm. Mitchell Noordyke writes, “Buried in the nuanced discussions about current standing quandaries … is an important question: Are search terms plus an IP address individually identifying and is their mere disclosure a concrete harm? If the answer is yes, the implications for privacy litigation are immense.” [Privacy Tracker]

Security

US – CEOs Identify Cybersecurity as Top Concern

A new survey from The Conference Board found that U.S. CEOs rank cybersecurity as the biggest external concern for 2019, followed by new competitors and the risk of a recession, Fortune reports. Globally, cybersecurity ranked lower, falling to the sixth largest concern in Europe, seventh in Latin America, eighth in Japan, and 10th in China. Despite cybersecurity ranking high among U.S. CEOs, compliance with privacy regulation only ranked 12th. Worldwide, fears of a recession ranked much higher among CEOs. [Full Story]

US – FINRA Identifies Effective Practices for Mobile Devices

The Financial Industry Regulatory Authority (FINRA) has released 2018 Selected Cybersecurity Practices for Mobile Devices:

  • effective practices are also available on the following topics:
  • branch control;
  • phishing;
  • insider threats; and
  • penetration testing.

Broker-dealer firms must develop policies and procedures addressing employee obligations to protect customer and firm information and bring your own devices standards for the use of personal devices for firm business; for customers, the firms must monitor mobile application markets on the dark web for malicious applications that impersonate the firm’s mobile application and require multi-factor authentication for access to customer accounts and trading applications. [FINRA – Selected Cybersecurity Practices 2018 – Mobile Devices]

Surveillance

US – Advocacy Groups Ask Companies to Stop Sales of Surveillance Tech to Government

The American Civil Liberties Union and more than 85 other advocacy groups have signed letters sent to Amazon, Google and Microsoft executives asking the tech company to no longer sell surveillance tech to the government. The letters were addressed to Microsoft CEO Satya Nadella and President Brad Smith, Google CEO Sundar Pichai and Senior Vice President of Global Affairs Kent Walker, and Amazon Founder and CEO Jeff Bezos and General Counsel and Senior Vice President David Zapolsky. The groups address the tech companies’ recent interactions with surveillance tech, such as Smith’s call for governments and tech organizations to address facial recognition and Amazon’s commitments to its Rekognition tool. [ACLU]

 

+++