Kazakhstan Privacy Law Coming Into Effect Soon
Kazakhstan’s data privacy law, On Personal Data and Their Protection, goes into effect on November 26, making it the second country in Central Asia to enact a privacy law, reports Hunton & Williams’ Privacy and Information Security Law blog. The new law will work with the existing sectoral regulations and, while no English translation is available, according to the report, analyses suggest it applies to both public and private sectors.
Judge Rules Wyndham Must Exchange Evidence with FTC, Case Proceeds
A judge has ruled that Wyndham Worldwide Corp. must exchange pretrial evidence with the U.S. Federal Trade Commission in its complaint against the company that alleges breaches at Wyndham and its three subsidiaries comprised more than 619,000 credit card accounts, Bloomberg reports. The company wanted the case dismissed, claiming the FTC doesn’t have the authority to regulate data security. A Covington & Burling InsidePrivacy post noted, “Even if the FTC wins the motion to dismiss, if the court issues a written decision, it is possible that the decision could speak to limits on the FTC’s authority. Companies that are subject to the FTC’s jurisdiction will want to follow this closely.”
Is Cali's "Eraser" Bill the Wrong Approach?
An Al Jazeera report analyzes recently passed legislation in California that essentially creates an “eraser” option for children and teens. Yet, privacy advocates are asking why only children would have such an option since, often, younger Internet users are more savvy with their privacy in the first place, whereas older users may not be as sophisticated. Center of Democracy and Technology Director of Consumer Protection Justin Brookman said, “It’s directed towards teenagers, which in itself is kind of vague … If you’re going to have privacy rules, you might as well protect everyone.” IAPP Westin fellow Kelsey Finch recently analyzed this bill along with several others in California.
FAA Releases Roadmap for UAS Integration
Wired reports on the release by the Federal Aviation Administration of an official roadmap for the future integration of unmanned aircraft systems (UAS), also known as drones. U.S. Transportation Secretary Anthony Foxx said, “This roadmap is an important step forward that will help stakeholders understand the operational goals and safety issues we need to consider when planning for the future of our airspace.” The five-year plan unveils three phases, including “accommodation” of existing UAS, “integration of future UAS” and “evolution” to create an adaptable framework for the technology. The roadmap also implies, the report states, that unmanned aircraft will be treated like manned aircraft. The FAA has designated six tests sites, which will help “inform the dialogue” with privacy and civil liberties concerns.
SCOTUS Lets Facebook Settlement Stand
The U.S. Supreme Court has let stand a $9.5 million settlement after a Facebook user challenged the agreement objecting to the fact that none of the money will go to the users whose privacy rights were violated, Bloomberg reports. The settlement will go to a foundation to promote online privacy and security, after paying out lawyers’ fees, and stems from Facebook’s use of the Beacon advertising program, which it shut down in 2009 after complaints. While the court didn’t issue a published dissent, Chief Justice John Roberts said it may need a different case in order to reach the “fundamental concerns surrounding the use of such remedies in class-action litigation.”
Federal and State Regulators on How To Get "Off the Hook"
The Federal Trade Commission (FTC) has been a busy agency. It has now brought 47 data security cases against businesses to date, and according to FTC Consumer Protection Bureau Deputy Director Daniel Kaufman, there are more in the pipeline. Together with New Jersey Supervising Deputy Attorney General Kenneth Ray Sharpe, CIPP/US, Kaufman addressed a room full of privacy pros yesterday at the IAPP Practical Privacy Series in New York City on how to avoid the wrath of regulators. Jed Bracy, CIPP/US, CIPP/EU, reports on their advice in this exclusive for The Privacy Advisor.
Case Over Workplace Audio Recordings Offers Insight
The proliferation of recording devices in our society offers employees the opportunity to easily record conversations in the workplace, which has brought up interesting legal questions in the 37 states where anti-wiretap laws don’t prohibit recording a person without their knowledge. Philip Gordon writes in Littler Mendelson’s Workplace Privacy Counsel about a recent case in which an administrative law judge (ALJ) rejected the National Labor Relations Board’s (NLRB) stance that workers “have a legally protected right to record their coworkers and managers.” In the case, the ALJ found that the company’s ban on workplace audio recording was lawful, and while the decision is not binding on the NLRB, the decision will likely be appealed to the board and offers important guidance for employers.
What Privacy Pros Need To Know About the NIST Cybersecurity Framework
As the U.S. National Institute of Standards and Technology moves into the home stretch of creating the Cybersecurity Framework called for by President Barack Obama back in February, we’re now getting a clearer picture of how privacy will be affected by the resulting document. Considering it may end up being part of regulatory structure, it’s incumbent upon privacy professionals, writes Hogan Lovells Partner Harriet Pearson, CIPP/US, that they understand how the framework ties together cybersecurity and privacy. As the date of the last framework workshop approaches, Pearson hits upon the most important points of the draft Privacy Methodology contained in the Cybersecurity Framework in this exclusive post for Privacy Tracker.
California's Tidal Wave of Legislation: A Roundup
Man Says Data Broker Is Liable in Harassment Case
A New York man has asked the U.S. Supreme Court to review whether data brokerage companies can be held strictly liable under federal law, Law360 reports. The man claims “a data broker illegally sold information gleaned from DMV records to a stranger who later tracked down and harassed him.” A Second Circuit court ruled in July that data broker Softech International could not be held strictly liable under the Driver’s Privacy Protection Act, the report states. (Registration may be required to access this story.)
Employee Monitoring: What’s Allowed and What’s Not?
Employers walk the line between protecting company resources and ensuring productivity and becoming big brother to their staff. Technology is available to monitor everything from computer use to hallways, but just because it’s out there, doesn’t mean it’s okay to use it. This IAPP Resource Center Close-Up aims to help you balance organizational security with employee privacy laws across the globe. You’ll find tools, articles and guidance on conducting background checks, accessing employee data and BYOD, plus learn about differing laws from region to region. (IAPP member login required.)
Close-Up: Workplace Privacy
U.S. Urges EU To Preserve Safe Harbour; International Reactions to Spying Programs Continue
Across the globe, fallout from reports of U.S. National Security Agency (NSA) and other governmental surveillance programs continues. Politico reports on U.S. regulators urging their counterparts in the EU not to abandon the Safe Harbor Framework amidst “mounting European anger over NSA spying.” Separately “The CIA is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company’s vast database of phone records, which includes Americans’ international calls,” according to a report in The New York Times. NSA General Counsel Rajesh De has attempted to explain the agency’s telephone metadata collection program by saying, “It’s effectively the same standard as stop-and-frisk”—using “reasonable and articulable suspicion” to identify phone numbers to target. Meanwhile, Google has begun encrypting its internal network in an effort to halt broad surveillance, and Kaspersky has said it is designing products “to detect all malware”—even that sponsored by the NSA. In response to allegations of U.S. agencies spying on EU officials, Spiegel examines what the White House might have known and how the NSA sets its priorities, and Indonesia has backed a UN statement indicating “anger at U.S.-led data snooping,” while Australian websites faced cyber attacks “in protest at Canberra's reported involvement in the surveillance network.”
ICO: Cookie Replacements Must Follow Rules
The UK Information Commissioner’s Office (ICO) has acknowledged that it’s aware of initiatives to forego cookies for new tracking technologies and says these new technologies will need to abide by the same rules as cookies, Out-Law.com reports.Encouraging a Privacy by Design approach, an ICO spokesperson said companies must be upfront with customers and offer “users a clear choice as to the options available to them." Meanwhile, Mozilla’s plans to automatically block certain cookies in its browser are on hold after it announced plans to work with the Cookie Clearinghouse initiative at Stanford University on a “more nuanced approach.” The organization now says it’s unsure whether it will adopt the feature.
Garante Provides General Rules Following Outsourcing's Growth
Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, is providing its general rules to protect the privacy of Italian citizens. Rocco Panetta highlights the details of these rules in The Privacy Advisor. “At the end of a complex investigation, the Garante stressed the rules to be applied to both companies and government agencies, whose customer care or call centers are located outside the EU,” Panetta writes.
Court Rules Google Must Remove Images from Search Results
A French court has ruled Google must remove compromising photos of a Formula One car racing chief from its Internet search results, The Economic Times reports. The ruling follows Max Mosley’s lawsuit aiming to force Google to filter images that were originally published in a British newspaper. Mosley claimed French law forbids taking and distributing images of someone in a private space without permission, while Google argued freedom of speech. Google says it will appeal the decision. “At this point in time, the pendulum is swinging toward individuals’ privacy and away from freedom of speech,” said one privacy analyst.
Germany and Brazil Present Internet Privacy Resolution to UN
Following reports that U.S. intelligence eavesdropped on foreign leaders—including German Chancellor Angela Merkel and Brazilian President Dilma Rousseff—both nations formally presented a resolution to the United Nations urging countries to extend internationally guaranteed rights to privacy online, The Associated Press reports. Such resolutions to the General Assembly are not legally binding. The U.S. was not specifically named in the resolution.
NZ Parliament Considers Privacy Principles
Parliament is considering adopting a set of privacy principles that would help protect both MPs and journalists, Radio New Zealand reports. Privacy Commissioner Marie Shroff, who recently reflected on the evolution of privacy in the past decade, told Parliament's Privileges Committee “it might be useful for the Privacy Act principles to be used as some sort of a guide within the Parliamentary precinct when difficulties occur over the use of information." With the Privacy Act and the Official Information Act already established, she suggested there is no need to “reinvent the wheel.”
NZ Bill Could Put Cyber Bullies Behind Bars
A new bill being introduced in Parliament could see cyber bullies facing up to three years in prison, The Sydney Morning Herald reports. The Harmful Digital Communications Bill is backed by Justice Minister Judith Collins and would create a criminal offence for “sending messages or posting material online with intent to cause harm—including threatening and offensive messages, harassment, damaging rumours and invasive photographs,” punishable by up to three months in prison or a $2,000 fine, the report states. The bill would also establish an agency responsible for handling complaints.
Indonesia May Consolidate Privacy Law
“Indonesian data privacy protection is spread over several pieces of legislation such as the Human Rights Law, ITE Law, Code of Criminal Procedure and others,” but the government is discussing consolidating it into a single law, Lexology reports.
Analysis of India’s Privacy Bill
Neeral Dubey of PSA Legal Counsellors examines The Privacy Protection Bill, 2013 for Mondaq, including the domain and protection of personal data and the punishment for offenses. “Though it has expanded the scope of sensitive personal data, it has not covered all the aspects, like, passwords or other personal details within its ambit,” Dubey writes, concluding, “Though this Bill seems to be a step in the right direction, what it can fetch is a question that remains to be answered. But that can be fathomed only once this sees the light of the day.”