Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

POLAND—DPA vs. Google on the Information Security Administrator
The Supreme Administrative Court, in its judgment of 21 February, supported the position adopted by the Polish Data Protection Authority (DPA) in its decision issued towards Google, Inc. Read More
UK—ICO Issues 50,000 GBP Fine for Unsolicited Calls
The Information Commissioner’s Office has fined home improvement company Amber Windows 50,000 GBP after an investigation discovered they had made unsolicited marketing calls to individuals who had registered with the Telephone Preference Service. Read More
UK—ICO Publishes Plans for 2014-17
The UK Information Commissioner’s Office has published its three-year corporate plan, setting out how it intends to address and tackle the challenges it faces in information regulation. Read More
UK—Disclosure and Barring Service Warned After Collecting Unnecessary Sensitive Data
The UK Information Commissioner’s Office has ruled that the Disclosure and Barring Service breached the Data Protection Act after failing to stop the collection of information about convictions that were no longer required for employment checks. Read More
FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More

Current Issue

Feature Stories

How Do I Measure My Privacy by Design Program’s Success?

To evaluate the success of a Privacy by Design program, there are objective and subjective guideposts available to organizations. When used together, these tools can help privacy professionals and managers determine whether a Privacy by Design program is meeting its initial goals. Libbie Canter and Jeff Kosseff, CIPP/US, describe how to do just that.

Book Review—Privacy Governance: A Guide to Privacy Risk and Opportunity for Directors and Boards

“I first became aware of Malcolm Crompton, CIPP/US, after seeing him speak at an IAPP conference several years ago. I was impressed with his passion for privacy and the warm way in which he engaged the audience,” writes Microsoft’s JC Cannon, CIPP/US, CIPP/IT, in this book review. “Crompton’s passion for privacy and warm, engaging style can be felt in his new book, Privacy Governance: A Guide to Privacy Risk and Opportunity for Directors and Boards,” Cannon writes, describing the book as “a must-read for company directors and boards who want to become serious about privacy compliance.”

Government’s Domestic Use of Drones Poses Privacy Questions for Congress and the Courts

While government use of drones has been underway for years, the privacy laws governing those activities remain uncertain. The sophistication and capabilities of these aircraft, already being deployed in a wide variety of settings—from disaster relief to law enforcement—is certain to create an increased demand for their use by government agencies. Given the lack of direct legal precedent, it is certain that the U.S. Congress and Supreme Court will be challenged in the coming years to define the privacy boundaries governing the use of UAS technology. In part three of this three-part series, David Young, CIPP/US, reports. Editor’s Note: See parts one and two.

Woman to Woman: A Q&A on the Marriage of Insurance Brokerage and Privacy Pro

Gamelah Palagonia, CIPP/US, CIPP/G, CIPP/IT, CIPM, the founder of Privacy Professionals, has been in the insurance industry for more than 30 years. Recently, she sat down with the IAPP Publications Advisory Board’s Carly Huth, CIPP/IT, for a Q&A on her career and how she became part of “the first generation of insurance brokers who are privacy professionals.”

Security Questions Don’t Protect You: Here’s Why

We have online accounts for everything these days: banking, e-mail, social networking, shopping, you name it. But when we find ourselves locked out of our accounts, the security question comes into the picture. Relying on such questions—which commonly ask for such easily-guessable answers as, “What year did you graduate high school?” or “What town did you grow up in?”—means the questions fail at their essential purpose. Jordan Holz of the Association of American Medical Colleges discusses how users can bolster protections for their online accounts.

Ten Steps to a Quality Privacy Program, Part Nine: Create a Written Plan for Addressing Known Issues

If there are issues at your organization that haunt you, and you’re aware of them, it’s time to lay out a plan for addressing them. “Besides helping your case should a regulator come knocking, documenting your action plan for known issues and risks is extremely important for all organizations because following this simple model will help ensure that you are focused on the right things, that you are applying your resources to the right projects and that leadership stays informed about the important work that you are doing within your organization,” writes Deidre Rodriguez, CIPP/US, in the latest installment of her 10-part series on creating a quality privacy program. Editor’s Note: Did you miss the first installments of this series? See them here.

The Case that Slipped Beneath the Cracks on Federal Employee’s Expectation of Privacy

In the narrow cracks between these popular conversations on privacy within the last year was a nuanced legal decision that has the potential to impact a rarely discussed expectation of privacy for federal employees, while impacting transparency for U.S. government agencies. The outcome of the case? If employees avail themselves of their own personal e-mail accounts to communicate official government business, they cannot have a reasonable expectation of privacy over those contents when compared to purely personal communications, writes Orandi Koosh, CIPP/US.

What Did You Expect? The FTC’s Two Newest Settlements

The Federal Trade Commission (FTC) has recently announced settlements with both Fandango and Credit Karma, whose smartphone apps contained the same critical security flaw: a failure to validate Secure Socket Layer (SSL) certificates, one of the most basic and well-established security practices out there. To help businesses and practitioners minimize their own regulatory surprises, the IAPP Westin Research Center has compiled an in-depth overview of the cases.

Goodwin Procter Expands with Stegmaier

Gerry Stegmaier, CIPP/US, a longtime lawyer in the privacy space and current member of the IAPP Education Advisory Board, has moved from Wilson Sonsini Goodrich & Rosati to join the privacy practice at Goodwin Procter. “It means about 15 minutes more commuting time each way,” he joked, “further into the heart of DC, right across from the Renaissance Hotel,” which should be familiar to those who attended early versions of the IAPP Global Privacy Summit. Publications Director Sam Pfeifle talks with Stegmaier about what triggered the move, where the industry is headed in the next five years and why it’s a good time to be a privacy professional.

The Court Says FTC Can Punish Rulebreakers, but What Exactly Are the Rules?

If anyone was having a case of the Mondays this week it was Wyndham Hotels and Resorts, after a District Court of New Jersey judge denied the company’s motion to dismiss a Federal Trade Commission (FTC) lawsuit alleging Wyndham violated Section 5 of the FTC Act. Some say it’s a landmark decision that emboldens the FTC’s authority as a de facto privacy regulator and could even thwart national privacy legislation, while others say the decision simply gives the FTC the power to regulate concepts that aren’t well defined, as they haven’t been proscribed succinctly for companies aiming to comply with rules effectively created piecemeal via FTC consent decrees. In this exclusive, Angelique Carson, CIPP/US, rounds up reaction from industry, academia and activists regarding a case that may be closer to the starting line than the finish line.

Asian Regulators in Lock-Step with Global DPAs

With their respective keynote addresses at the inaugural IAPP Asia Privacy Forum, Hong Kong DPA Allan Chiang and Singapore Personal Data Protection Commission member Aileen Chia sent a cohesive message: Those companies making a good faith and concerted effort to respect their customers’ privacy have nothing to fear from regulators.

Court Ruling Moves FTC v Wyndham Forward; FTC Has Data Security Authority, Judge Rules

In what many are calling an important ruling, a federal court in New Jersey has shot down a challenge to the Federal Trade Commission (FTC) by Wyndham Hotels. In round one of the challenge, Wyndham argued the FTC overstepped its authority by suing companies for poor data security practices. The ruling by U.S. District Court Judge Esther Salas, however, denied the hotel chain’s motion to dismiss, saying the case can move forward. Salas noted her ruling “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked” but added there is “binding and persuasive precedent” upholding the FTC’s authority.

With Big Data and Privacy, What Should the Regulators Know?

In the third and final series of meetings called for by the White House as part of its Big Data and privacy initiative, privacy experts, academics, industry representatives and government regulators convened to hash out the benefits and challenges posed by the Big Data ecosystem. Hosted by the White House Office of Science and Technology Policy, the UD Berkeley School of Information and the Berkeley Center for Law and Technology, the day featured panels covering privacy values, the challenges of health and education, algorithms and transparency and privacy governance. Jedidiah Bracy, CIPP/US, CIPP/E, sums up the key points.

The Evolving Nature of Consumer Privacy Harm

Curry v. AvMed, Inc. moves the mark once again

In the privacy world, few questions are as fundamental and pervasive as “what constitutes privacy harm?” Scholars continue to debate what it means to suffer a privacy injury, but high-profile data breaches hit the newsstands seemingly every day, and class-action lawsuits follow. Meanwhile; the Federal Trade Commission and state attorneys general launch enforcement actions, and consumers complain in record numbers to federal and state regulators. IAPP Westin Fellow Kelsey Finch examines the case of Curry v. AvMed, Inc., and the question of what breaches are actionable and which harms are compensable.

UMaryland President: Breach Would Have Bankrupted Many Institutions

FTC Urges Congress To Grant it Civil Penalty Authority Over Nonprofits; Target Called on the Carpet

Representatives from the University of Maryland and Target—organizations that have both suffered large data breaches in recent months—along with the Federal Trade Commission (FTC), Visa and others, testified before the Senate Commerce, Science & Transportation Committee March 26 on protecting consumer data and fighting cyberattacks. Jedidiah Bracy, CIPP/US, CIPP/E, reports on the testimony and the FTC’s calls for jurisdiction over nonprofits.

NTIA Continues To Tackle the Future of Facial Recognition

Facial recognition technology, whether you’re a friend or foe, has a robust future, something clearly on display during the National Telecommunications & Information Administration’s (NTIA) March 25 multi-stakeholder meeting on creating a code of conduct for the technology. With the NTIA still in the gathering and learning stage, the meeting featured presentations from technology experts, some industry representatives and the Federal Trade Commission.

Summer Privacy Institute Will Bring Invaluable Education to Lawyers, Managers, Privacy Pros

As the most recent iteration of the IAPP's Global Privacy Professionals Salary Survey results revealed, in the privacy field it is those with law degrees who report earning the highest salaries and those with a Certified Information Privacy Professional (CIPP) designation reported salary levels outpacing even those with Master of Business Administration degrees. Enter this year’s IAPP Information Privacy Summer Institute, providing privacy education from leading privacy scholars and an opportunity for law school or professional development credit.

Attacking Data Leakage

A start-up, and attendant nonprofit, focus on privacy in the publishing industry

“Publishers don’t really have their arms around their audiences in the way they used to,” said Joe Titlebaum. “The people who understand audiences the best are the ad tech folks.” Many publishers are uncomfortable with that, which presents a market opportunity. Titlebaum is chief legal and privacy officer for Mezzobit, a New York City-based start-up that’s focused on helping online publishers both understand their audience and prevent data leakage that might present privacy issues or simply make their readers uncomfortable.

Why Isn't Peter Hustinx on a Beach in New Zealand by Now?

In January, European Data Protection Supervisor (EDPS) Peter Hustinx and his staff celebrated the EDPS’ 10th year as an institution. Hustinx had all but blown out the candles on his proverbial “Bon Voyage” cake when the European Commission said, “Not so fast.” Though his two-term run had expired, the commission deemed the five candidates it interviewed to replace him late last year “inadequate.” Hustinx, Slovenia Information Commissioner Natasa Pirc Musar and Covington & Burling’s Henriette Tielemans weigh in on the delay in filling this crucial role.

Designing and Implementing an Effective Privacy and Security Plan

In its 2013 global data breach study, the Ponemon Institute reported that data breaches experienced by U.S. companies continue to be the second most expensive in the world at $188 per record. The study also reported that U.S. companies had the second greatest number of exposed or compromised records per breach at 28,765, resulting in an average total organizational cost of more than $5.4 million per data breach. Your company can mitigate the high costs of remediating a data breach by having a strong security posture and incident response plan, assembling a proper team to oversee your privacy and security practices and having a plan for breach remediation, writes Ronald Breaux.

Think Outside the Box; The Crooks Always Do

For consumers, identity theft seems to be the number-one concern, according to the FTC and a recent Ponemon survey. As privacy pros, putting ourselves in the customer’s shoes can foster perspectives that should lead to making the right decisions as risk managers, writes Matt Storer. Here are some scenarios to consider.

Are Doorstep Drone Deliveries Just Around the Corner?

Until recently, there was little concern that commercial drone technology might outrun the legal framework for dealing with it. The Federal Aviation Administration (FAA) has rarely issued certifications for commercial drones. But the FAA now has a mandate to open the national airspace to drones. And in a sign that the future may arrive sooner than expected, last month an administrative law judge reversed the FAA’s imposition of a $10,000 fine against an aerial videographer for using a drone to shoot a promotional video, saying the FAA had exceeded its authority under existing rules. In part two of this three-part series, Michael Whitener, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPP/IT, CIPM, zooms in on what the future may hold. Missed part one of this series? See it here.

Europe Seeks To Rise Up and Compete on Cloud Computing

Several recent activities have converged with longer-standing efforts to push cloud computing forward in Europe. Swirling around these activities have been violations of European government and citizens’ privacy via the U.S. PRISM program, lingering doubts about the effectiveness of the EU-U.S. Safe Harbor Agreement and the steady drumbeat of headline-grabbing data breaches undermining confidence in the cloud. Thomas Shaw, CIPP/US, looks at Europe’s plan to become a leading jurisdiction in cloud computing.

Privacy News