by Monique Altheim on April 30, 2014
This past month saw another batch of large data breaches, with “Heartbleed” considered by some the largest data security breach in the history of the internet; a flurry of legislative efforts by the States to regulate the use of drones, student privacy and government surveillance; a landmark victory for the FTC’s authority to regulate commercial data security practices; important privacy legislation in Australia, Brazil, and Canada; the EU Art 29 WP was busy as a bee publishing Opinions on EU Data Protection, and the European Parliament voted in favor of the proposed General Data Protection Regulation, leaving the next step up to the Council of Ministers.
• FTC to Examine Effects of Big Data on Low Income and Underserved Consumers at September Workshop
• Facial Recognition: Talks resume at NTIA (National Telecommunications and Information Administration) to craft a privacy-enhancing code of conduct for commercial uses of facial recognition technology
• FTC Staff Updates Guidance on “COPPA and Schools” Through Revised FAQs
• FTC Concludes Review of iVeriFly’s Proposed COPPA Verifiable Parental Consent Method
• FTC: COPPA Does Not Preempt State Teen Online Protections
. ‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys
• Experian: U.S. States Investigate Breach at Experian/Court Ventures
• Tax Fraud: D.C. physicians swept up in tax ID theft scam ; Spike in Tax Fraud against Doctors
• Michaels, Aaron: 3 Million Customer Credit, Debit Cards Stolen in Michaels,Aaron Brothers Breaches
• Paper Breaches (Don’t dump those papers, shred them!)
OR: Employment applications found in Little Caesars Pizza dumpster in Salem
UT: Client files with personal information found in Dumpster
• Legislation: Kentucky has become the 47th state to enact a data breach notification law
• Holder calls for federal law on data breaches
• Court approves first-of-its-kind data breach settlement. AvMed agrees to set aside $3 million for breach victims, whether they suffered direct harm or not.
• FTC Deputy Director Daniel Kaufman Backs Civil Penalties for Large Breaches
• Two Congressional Hearings on Data Security
• Two Data Brokers Settle FTC Charges That They Sold Consumer Data Without Complying With Protections Required Under the Fair Credit Reporting Act (FCRA)
Drones (Unmanned Areal Systems or UAS)
• According to the American Civil Liberties Union, 43 states are considering 96 bills related to domestic drone usage. Wisconsin is the ninth state to regulate drone usage, joining Florida, Idaho, Illinois, Montana, Oregon, Tennessee, Texas and Virginia.
• The Kansas Senate Committee passed SB 409, which would limit the use of drones with recording devices
• Wisconsin governor signs bill restricting drone use
• Utah governor signs bill that puts limits on police use of drones
• On the other hand: New Hampshire Drone Bill Shot Down in Senate
EU Data Protection
• Many Art 29 WP Opinions this past month. Eduardo Ustaran sums it up: Art 29WP – Something old, something new, something borrowed, something blue. http://www.linkedin.com/today/post/article/20140425061231-24251273-something-old-something-new-something-borrowed-something-new
• Art29 WP Working Document on contractual clauses from EU processors to non-EU sub processors.
• Article 29 WP Opinion 03/2014 on “Data Breach Notification”
. Art 29 WP Opinion 04/2014 “on surveillance of electronic communications for intelligence and national security purposes
• Art 29 WP Opinion 05/2014 on “Anonymisation Techniques”
• Article 29 WP Opinion 06/2014 on “Legitimate Interests”
• EU Court of Justice invalidates the Data Retention Directive
• ECJ upholds independence of data protection authorities in case against Hungary
. The New EDPS’ Opinion Privacy and Competitiveness in the Age of Big Data
. DPAs, FTC Unveil Cross-Border Data Transfer Tool (APEC CBPRs and EU BCRs Referential)
• Council of Europe launches a human rights guide for internet users
. Italy: Garante imposes ‘landmark’ €1 million fine on Google
• France: New French Law Authorizes the CNIL to Conduct Online Inspections
. Germany’s DPAs Adopt Resolutions on Employee Privacy, Facial Recognition and EU Draft Regulation
• Microsoft can now transfer data from its EU cloud servers to its non-EU servers via EU approved model contracts
EU Data Protection Reform
• EUROPEAN PARLIAMENT VOTES IN FAVOR OF PROPOSED DATA PROTECTION
• Article 29 WP Issues Statement on One-Stop-Shop Within Proposed EU General Data Protection Regulation
• Member States unveil positions on proposed “One-stop-shop [complaint] mechanism”
EU-US Safe Harbor
• Art WP 29 has many additional recommendations to strengthen personal data protection under the Safe Harbor Decision
• In a Joint Statement at the EU-US Summit on 26 March 2014 EU and U.S. officials announced a commitment to strengthening the Safe Harbor framework by this coming summer
• Facebook admits users are confused about Privacy, will show more on-screen explanations, in an effort to practice “surprise minimization” or “minimize the surprise to the consumer”.
• Kentucky enacts law Protecting Student Data In the Cloud
• Louisiana House Passes Student Privacy Bill
• Florida Senate Passes Student Privacy Bill, which would prohibit schools from collecting political and religious beliefs and biometric information from students
• Kansas House Passes Student Privacy Bill which would restrict access to student records and prohibit the state from collecting information relating to students’ and their families’ personal beliefs or practices on issues such as sex, family life, morality and religion.”
• The Colorado House Education Committee unanimously passed a bill that would put restrictions on the sharing of education data.
• South Dakota Passes Student Privacy Law
• California Sen. Proposes Student Privacy Bill
• Illinois House Committee Endorses Student Privacy Bill
• inBloom’s closure highlights dark side of privacy in sectors driven by data http://www.businesscloudnews.com/2014/04/25/inblooms-closure-highlights-dark-side-of-privacy-in-sectors-driven-by-data/
Fourth Amendment /Surveillance
• Idaho: New law limits DNA collection by law enforcement: only upon criminal conviction or by court order
• Utah: New law makes any electronic data obtained by law enforcement without a warrant, including location data, inadmissible in a criminal proceeding.
• Indiana: Anti-Surveillance Bill signed into law- requires police to obtain search warrants before using drones, using cellphones to track individuals or demanding passwords for electronic devices among other restrictions
. The U.S. Supreme Court heard oral arguments in Riley v. California and United States v. Wurie, two cases involving the warrantless search of an individual’s cell phone incident to arrest and will decide on an important Fourth Amendment question: can the police search the entire contents of an individual’s cell phone incident to any lawful arrest. To be followed.
FTC, Section 5, Deceptive and Unfair Practices
· FTC Approves Final Order Settling Charges that Aaron’s Inc. Allowed Franchisees to Spy on Consumers via Rental Computers
FTC v. Wyndham
· Federal court denies Wyndham Hotels & Resorts’ motion to dismiss FTC’s complaint and upholds FTC’s authority to regulate commercial data security practices
• Google has updated its terms of service to reflect that it analyses user content including e-mails
• Australia: Reforms to the Privacy Act are in effect as of March 12, 2014
• Brazil: Brazil passes the “Internet Bill of Rights”, a law that protects online privacy and promotes an open Internet
• Canada: Canada’s anti-spam legislation (CASL), requiring express consent, becomes effective July 1, 2014.
• HHS is serious about HIPAA compliance, reveals audit plans
• HHS Releases Security Risk Assessment Tool
• OCR Announces $1,975,220 in Settlements Over Stolen, Unencrypted Laptops containing PHI
• Yahoo webcam images from millions of users intercepted by GCHQ; 1.8m users targeted by UK agency in six-month period alone. Material included large quantity of sexually explicit images
• Introducing the ACLU’s NSA Documents Database. These documents stand as primary source evidence of our government’s interpretation of its authority to engage in sweeping surveillance activities at home and abroad, and how it carries out that surveillance.
• NSA Said to Exploit Heartbleed Bug for Intelligence for Years
• U.S. v Lavabit judgment: Fourth Circuit affirms district ruling: Lavabit in contempt. Lavabit tried giving the feds its SSL Key In 11 pages of 4-Point Type; Feds complained that it was illegible
• FBI Plans to Have 52 Million Photos in its NGI (next generation identification) Face Recognition Database by Next Year
Technology and Lifestyles, New Developments in
• Facebook unveils new “Nearby Friends” location feature
• Google Glass Etiquette https://sites.google.com/site/glasscomms/glass-explorers
• Conversnitch: a device that live-tweets private conversations.
The FCC issued two rulings regarding exemptions to the “express consent” requirement under TCPA (The TCPA and associated FCC rules require parties to obtain “prior express consent” before transmitting autodialed or prerecorded informational calls or text messages to a wireless telephone number).
• The FCC exempted package delivery notifications from the “prior express consent” requirement when the called party is not charged for them by the wireless carrier. For example, under the exemption, FedEx or UPS will not need prior express consent of package recipients for automated shipment notification messages sent to their mobile telephone numbers.
• In the context of “text-based social networks” such as GroupMe, “prior express consent” to receive automated text messages can be obtained through an intermediary (in this case, the text message group creator), where the messages are administrative in nature and concern the use and cancellation of the service.