ENFORCEMENT—AUSTRALIA
Australian Privacy Commissioner finds Veda violated privacy rules
After numerous complaints, the Australian Privacy Commissioner has found Veda has violated privacy rules by selling products to users who only wanted a copy of their credit report, "which, by law, they're able to access for free once a year," The Sydney Morning Herald reports.
"Commissioner Timothy Pilgrim said Veda 'interfered' with the privacy of these customers by charging for 'expedited' delivery of a credit report, even though the person hadn't accessed a report in the previous 12 months, and for failing to prominently state their rights," the report states.
"He also determined Veda didn't take reasonable steps to ensure the free option was as available and easy to identify as the commercial product." As such, Consumer Action CEO Gerard Brody has encouraged consumers to contact Veda to get a refund.
(Registration may be required to access this story.)
Full Story
INTERNET OF THINGS—SINGAPORE
'City brain' tech on target to make Singapore an internet of things-powered hub
Singapore's plan to embrace "city brain" technology, utilizing 100 million smart objects in five years, is both groundbreaking and rife with privacy questions, Computerworld reports.
"In theory, a city brain could be used by municipal administrators to check on a wide variety of conditions," such as weather, elderly housing and transportation issues, the report states.
The program may additionally use "the estimated five million smartphones carried by Singaporeans" to make it happen.
"Of course, there will be loss of privacy or, worst case, the chance of data being hacked," said Gartner's Jacqueline Heng.
"This is not just a Singapore problem; it's a global problem," adding that "any government must still enforce certain laws to prevent misuse."
Full Story
![]()
TRANS-BORDER DATA FLOW—EU & JAPAN
EU-Japan free trade deal hits data flow roadblock
A potential free-trade deal between the European Union and Japan hit a roadblock as the two sides look to agree on data flows, POLITICO reports.
Japan is looking to secure “adequacy decision” status, meaning the EU would recognize Japan’s privacy laws on the same level as its own, allowing data to flow freely between the two sides.
While the European Commission wants to agree on a deal, it believes Japan’s privacy laws would need years to become as strong as those seen in the EU.
The EU is currently unwilling to add data flows in the deal.
“The European Parliament will not ratify an agreement that undermines data protection in the EU and the Commission knows this,” said Dutch Liberal MEP Marietje Schaake.
Full Story
PRIVACY LAW—AUSTRALIA
NSW's attorney general argues for national revenge porn law as state version garners support
Attorney General Gabrielle Upton has called the New South Wales' government effort behind passing a potential revenge porn law "only one piece of the puzzle" as its representatives work to drum up support for a similar, countrywide privacy regulation, The Age reports.
"NSW is leading the way to work out what a civil remedy would look like so victims right across Australia have access to justice," Upton added.
In the meantime, the state version of the bill has received "widespread support" with the NSW government planning to debut the bill sometime in early 2017.
If the civil action should pass, "it would allow people to sue for damages in court for serious invasions of privacy, which would extend well beyond revenge porn," the report adds.
Full Story
PRIVACY LAW—AUSTRALIA
DNA legislation has lawyers, civil liberties groups spooked
Victorian lawyers and civil liberties groups have expressed "outrage" over the government's move that enables law enforcement officials to take DNA samples from suspects without a court order, The Australian reports.
The government-backed legislation "has been welcomed by police, who foresee a tenfold increase in the number of DNA samples that will become available" while bringing "Victoria in line with NSW, South Australia, Western Australia and the Northern Territory where a senior police officer can already authorize DNA sampling without charges being laid in cases of serious crimes," the
report states.
While civil liberties group Liberty Victoria and others have expressed criticism and alarm, Police Association Secretary Ron Iddles said that law enforcement will use appropriate safeguards while embracing a technique that will speed up investigations, the report adds.(Registration may be required to access this story.)
Full Story
PRIVACY RESEARCH—NEW ZEALAND
Study: 45 percent of respondents don't have expectation of privacy online
Auckland University of Technology's 2015 World Internet Project in New Zealand survey has found that 45 percent of the 1,377 respondents do not believe privacy exists online, Stuff reports.
Eleven percent of the surveyed said they had their privacy violated online, the report adds.
University of Auckland professor in computer sciences, Clark Thomborson, thinks the responses indicate a changing attitude about what privacy means on the internet.
"They're shifting so rapidly now," he said.
"I think many people are starting to become aware of the risks but don't accept privacy has gone, it's just that the boundaries are different."
Full Story
INFOSECURITY—HONG KONG
Financial apps sending Hong Kongese smartphone data to the mainland
A FactWire investigation has claimed that five popular Chinese mobile payment apps are able to access Hong Kongese users' smartphones and transmit information to mainland China, the South China Morning Post reports.
Using program analysis on WeChat, Tmall, Alipay, Taobao, and Taobao World, FactWire found "the apps could immediately, upon installation, obtain sensitive data that could track and identify a user, such as a smartphone’s unique code and a SIM card’s identification number," which was "then recorded into files that were available for transfer to mainland servers," the report states.
The office of the Privacy Commissioner for Personal Data confirmed that the apps' transfer of data was legal.
This isn't the first controversy for such tools, as an additional Consumer Council report from October found many of the same apps store data too long.
Full Story
PRIVACY LAW—HONG KONG
Police sergeant takes Hong Kong gambling case to government's appeals board
Hong Kongese police sergeant Lee King-man has alleged the Hong Kong Police Force unlawfully accessed more of his gambling records than court ordered for an investigation, and has brought his claims to the government’s appeals board, the South China Morning Post reports.
The sergeant was under investigation for placing bets and bookmaking during office hours, the report states, and the court had allowed investigators access to three months of his records at the Hong Kong Jockey Club.
The force received 10 months of data.
“If they needed extra personal data, they should have applied to the court for a warrant extension or issued a written request to the company in accordance with the (privacy) ordinance,” Lee said.
“But they did not do so.” The privacy commissioner for personal data had previously found the police officers had not broken the law, the report adds.
(Registration may be required to access this story.)
Full Story
PRIVACY OPERATIONS MANAGEMENT
This new methodology helps make data protection a science
Over the course of the last four decades, global technological innovation has evolved and disrupted business models of all sorts.
"But from a privacy perspective," writes independent data privacy and cybersecurity consultant John Sabo, "this disruption has outstripped the ability of business owners, government agencies, IT engineers, and developers to confidently deliver the data protection obligations expected by regulators, consumers and citizens in online and back-end systems." With the EU's General Data Protection
Regulation on the horizon, things are about to get a lot more complex.
Enter the OASIS Privacy Management Reference Model and Methodology.
In this post for Privacy Tech, Sabo, with the help of Michele Drgon, CIPM, Michael Willet, and Gail Magnuson, dives into what this new methodology is capable of and how it can help make data protection more of a science than an art.
Full Story
PRIVACY COMMUNITY
Podcast: Hintze looks back at Microsoft and forward to private practice
If you don't know him personally, you probably know the name Mike Hintze, FIP, CIPM, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT.
He was chief privacy counsel at Microsoft for 18 years.
But he's since moved on to private practice in Seattle, Washington, working alongside his wife, Susan Lyon-Hintze, CIPP/US, at their boutique firm, Hintze Law.
In this episode of The Privacy Advisor Podcast, Hintze talks about his experiences working for the tech giant, why he decided it was time to go, and what he plans to get out of taking on this completely new chapter in his career.
Full Story
ETHICS
Using big data, and privacy, to fight Zika
This year, Unicef wanted to educate Brazilians on how to protect themselves against the Zika virus, which can particularly affect unborn children, resulting in birth defects affecting brain development.
But what messages would resonate? Who’s talking about Zika and what are they saying? The humanitarian organization could have conducted a survey, but that costs money and consumes valuable time. So the organization turned to social media. “Because of the scale at which Facebook operates, we’re able to analyze aggregated Facebook posts to see how people are talking
about Zika and what they were thinking," said Molly Jackman, public policy research manager at Facebook.
Might there be some privacy issues there, though? IAPP Publications Director Sam Pfeifle spoke with Jackman for The Privacy Advisor about how Facebook worked to do good without doing harm.
Full Story
PRIVACY-ENHANCING TECHNOLOGY
Op-ed: Data minimization vital for startups
In an op-ed for TechCrunch, Nathan Kinch writes about the importance of data minimization for startups.
Data minimization is becoming increasingly important, as several regulations around the world make it crucial for a startup’s success, including the General Data Protection Regulation.
Kinch offers data minimization design rules for startups, including collecting data progressively and only when needed, clearly stating why the data is being collected, and giving back data to the user.
“So consider giving back data as a design rule and practice.
Empower your customers to engage with you in multidirectional data exchange that creates shared value,” writes Kinch.
“Think of it like this: If giving back data is embedded into your onboarding journey, and the customer has the ability to control and utilize that information, you can ask to make use of it at appropriate times.”
Full Story
PRIVACY LAW
Roundup: Canada, Spain, Tunisia, US and more
In this week’s Privacy Tracker legislative roundup, read about the potential for updates to Spain’s privacy law and a new national ID card in Tunisia, which is drawing privacy concerns.
In Canada, a proposed bill aims to shield health care facilities that provide services for medically assisted death and a Supreme Court ruling offers some insight into when vendors can share personal information without violating the Personal Information Protection and Electronic Documents Act.
In the U.S., Rep.
Jackie Speier, D-Calif., has introduced the Safe Transfer Act, which would require academic transcripts to include violations of a school’s sexual violence policies; Republicans within the Federal Communications Commission are planning to repeal net neutrality and privacy rules; and the House Intelligence Committee has passed the 2017 Intelligence Authorization Act.
(IAPP member login required.)
Full Story
PRIVACY-ENHANCING TECHNOLOGY
Web con: 'Embedding Privacy by Design'
Thinking about privacy protection and controls after a new product, service or program has launched is always suboptimal when it comes to protecting the personal data of those involved in the new effort.
A much more effective approach is to think about the collection, use and storage of that valuable and sensitive information before you even collect it.
Privacy by design refers to the process of proactively crafting processes and procedures to do just that, with the goal of protecting and properly stewarding that information while it’s in your control.
This recording of a popular Atlanta KnowledgeNet presentation given in 2016, entitled "Embedding Privacy by Design," will explain what privacy by design is, and how you can apply it to the privacy efforts within your organization.
Full Story
PRIVACY OPERATIONS MANAGEMENT
Web con: What you need to know about evaluating cyberinsurance
Mature privacy programs, when well implemented, can cover much of the risk inherent in storing and processing personal and sensitive information within your organization.
That said, the ever increasing threat of cyberattacks makes it impossible to account for all risk.
Enter cyberinsurance.
A well considered policy purchased after a thorough internal evaluation can take up much of the "residual risk" remaining after accounting for your privacy program controls.
This process is complicated and challenging in a changing marketplace.
Understanding what you need to know to best approach the purchasing process is critical to selecting the right policy for your organization.
Join our panel of experienced professionals on 22 Dec.
for the IAPP Web Conference "Evaluating and Purchasing Cyberinsurance: What you Need to Know." Panelists will discuss how to determine if you need a policy, what to do to prepare for purchase, and how to effectively evaluate the existing field of vendors.
Full Story
PRIVACY OPERATIONS MANAGEMENT
Be ready for a breach with the IAPP Resource Center
It seems as if the past few years have all been referred to as "the year of the breach" at one time or another.
Given that, it would probably be a wise decision to make sure your breach response plan is up to snuff.
On the IAPP's Responding to a Breach resource page, you'll find recent guidance from the U.S.
Federal Trade Commission; Hogan Lovells' new tool, Ready, Set, Respond; templates; check lists; and insight on the outside stakeholder groups you’ll be working with once a breach happens.
Also find insight on breach response under the EU General Data Protection Regulation and U.S.
state breach notification laws.
Find the tools and insight to help your organization prepare for a breach and learn how to respond in ways that can save your company's finances and reputation in the IAPP Resource Center.
(IAPP member login required.)
Full Story
DATA LOSS
Yahoo confirms 2013 data breach affecting 1B users, biggest in history
Following its confirmation of a data breach in 2014 affecting 500 million users, Yahoo said it discovered another cyberattack from 2013, compromising more than 1 billion accounts, the Guardian reports.
Yahoo believes the two incidents are connected and said the breaches are “state-sponsored,” Yahoo CISO Bob Lord wrote in a blog post.
The attackers used “forged cookies” to access user accounts without passwords.
While using these cookies, hackers could misidentify themselves as the primary user of the account.
Yahoo said the compromised information could have possibly included names, email addresses, telephone numbers, dates of births, hashed passwords, and in certain cases, encrypted or unencrypted security questions and answers.
Yahoo said no financial information was affected.
The company is notifying affected users and asking them to change their passwords.
The announcement has prompted Sen.
Mark Warner, D-Va., to call for an investigation.
Full Story
EMPLOYEE PRIVACY
Companies look to publicly report employees' health
A group of companies, including IBM, PepsiCo and Johnson & Johnson are working to find a way to publicly report and measure the health of their employees, The Wall Street Journal reports.
The ratings, currently under consideration by a coalition of employers and insurers called the Health Metrics Working Group, would offer shareholders and other high ranking company officials a look into a company’s efforts to improve employee health and whether the efforts are working.
The health information will be presented in the aggregate in order to comply with health privacy laws.
“All the working group members support the concept of reporting on employee health metrics, but if and how that gets implemented will vary quite widely,” said Vitality Institute Senior Communications Specialist Shahnaz Radjy. (Registration may be required to access this story.)
Full Story
PRIVACY OPERATIONS MANAGEMENT
Report: 42 percent of companies do not have cyberattack communications plans
An EY report finds many companies do not have a plan for communicating with the public following a cyberattack, CNBC reports.
EY’s annual Global Information Security Survey revealed 50 percent of the 1,735 participating organizations said they were confident they could detect an attack, but 42 percent did not have a communications strategy in place if an attack took place.
Another 48 percent said they would not notify impacted customers within the first week.
"It's imperative to address if any weaknesses or failures in the recovery plans become known, because the longer these problems continue, the worse the situation will get.
In fact, many of the proposed regulations or laws around reporting of cyberattacks say that companies must notify customers within a certain number of days," said EY Global Cybersecurity Lead Paul van Kessel.
In other news, Blanco Technology Group released a report revealing delays companies face in breach detection and notification and the regulatory challenges this causes for data protection.
Full Story
MARKETING PRIVACY
CoinDesk, Brave Software make deal in an effort to curb ad tracking
Brave Software has inked a deal with bitcoin information site CoinDesk, a move that Brave leadership hopes will propel the company's browser towards tracker-free ads, CNET reports.
"Under the first phase of the deal, CoinDesk has begun promoting the browser on its website, has cut out ads from third-party advertising suppliers, and can garner revenue from Brave users who choose to pay publishers through the browser," the report states.
"Those payments use the existing Brave Payments technology, which anonymously pays the publishers whose websites people visit." However, Brave Software CEO and Mozilla co-founder Brendan Eich hopes that Brave "could let CoinDesk show ads without intrusive technology that tracks users," the report continues.
Then there's the opportunity to use Brave-supplied ads, "the core part of the company's long-term business effort."
Full Story
LOCATION PRIVACY
Ex-employees claim Uber continues unauthorized surveillance
After stating it had policies preventing employees from accessing trip and geolocation information, five former Uber security professionals reveal the company continued to allow its workers to access sensitive information, according to The Center for Investigative Reporting's Reveal.
The revelation comes two years after Uber was first found using its internal “God View” to track users’ whereabouts in real time without permission.
Some of the most recent allegations state Uber deleted files it was legally obligated to hold onto and for encrypting files during law enforcement investigations in its foreign offices.
In response to the report, Uber’s Chief Information Security Officer John Flynn sent an email to the company’s staff reminding them of their privacy obligations.
Full Story
DATA LOSS
Report: 1.6B records compromised in 2016
IT Governance has compiled a list of every data breach in 2016, estimating more than 1.6 billion records were compromised,
The Daily Dot reports.
The number is up from the 480 million breached records in 2015.
IT Governance states June and November were the two worst months for data breaches in 2016.
Voter breaches in June propelled the number of compromised records to 289,150,000, while 456,403,757 records were compromised in November, one of the worst months for security on record.
IT Governance found more than 412 million of the records breached in November came from adult websites.
Full Story