What "Ubergate" Means for Privacy Pros

Okay, so I know I’m not the only one writing about what the Twitter world collectively calls "Ubergate," but I think it’s important to delve into this issue a bit here and flesh out why this demonstrates the organizational need for privacy professionals and privacy ethics.

Much of this current firestorm centers on the alleged unethical use of sensitive personal data collected every day by the popular rideshare start-up. To quickly sum this latest privacy kerfluffle: A journalist, himself using questionable ethics, quoted Uber's senior vice president's off-the-record discussion about using data collected from its services to go after its enemies. 

But this isn't the only time the media has focused on what many sources have been calling  a culture problem at Uber, particularly its questionable use of customer data. For example, according to venture capitalist Peter Sims, Uber used a “God View” for stalking purposes, while others have raised concerns about how the company has mined its data as seen in its “Rides of Glory” and “crime location knowledge demand” blog posts.

read full article at IAPP

UK plans to introduce new Web snooping law

A U.K. counterterrorism bill would require ISPs to retain IP addresses in order to identify individual users of Internet services.

The proposed law is meant to bridge a “capabilities gap” that authorities face when trying to obtain communications data, said U.K. Home Secretary Theresa May, who introduced the bill, in a speech on Monday.

The measures will build on emergency legislation that the U.K. introduced during the summer, May said, who added that “it is not a knee-jerk response to a sudden perceived threat.”


read full article at PC World 

New NSA Privacy Chief Promises Transparency

In a Q&A online, Rebecca Richards promised a new era in transparency at the United States’ eavesdropping agency. 

The National Security Agency’s newly appointed Civil Liberties & Privacy Officer Rebecca Richards said Monday in an online Q& A she hopes to inject a sense of transparency into the secretive spy agency.

“Until somewhat recently, relatively little information about NSA was public. And the information that was made available rarely discussed the safeguards in place to protect civil liberties and privacy,” Richards said. “One of my goals is to share what NSA does to protect civil liberties and privacy. This will take time, but we must start somewhere.”

read full article at Time

Slack alters privacy policy to let bosses read your messages

Slack, the fast-growing workplace communication tool, announced today that it will begin selling a new tier of service in January aimed at large enterprises. Slack Plus, as the tier is called, will offer a handful of new tools aimed at system administrators. But there’s one feature every Slack user needs to know about: companies that subscribe to the Plus plan will be able to request every message that employees have sent on the service from that point forward, including direct messages to coworkers and a history of any changes you made to your messages.

Slack has revised its privacy policy to accommodate the new feature, which it says was requested by businesses that are legally obligated to retain employee communications. (The revisions are worth reading for anyone who manages a Slack team; among other things, it now requires you to waive your right to a jury trial in favor of binding arbitration if you ever have reason to sue the company.) 

Every enterprise software startup eventually courts big companies, which generally have the most money to spend. But few have done it as quickly as Slack, which launched in February and now has 300,000 daily users on 40,000 teams. Its earliest users were small teams, but Slack is now used at Amazon, Walmart, AOL, and ESPN, among other places. (Also: The Verge.) 

read full article at The Verge

MPs say they need 'serious discussion' with social networks over users' data

Social networks should simplify their terms and conditions, to ensure that their users fully understand how their personal data will be collected and used, MPs have concluded.

A report by the Commons science and technology committee calls for the British government to work with the Information Commissioner’s Office (ICO) on new guidelines for how social media companies should explain their data collection policies to uses.

The MPs criticised the “opaque, literary style” of many social networks’ terms and conditions documents, suggesting that they “are drafted for use in American court rooms” rather than for non-lawyers to understand, and thus give their informed consent to however that company plans to use their personal data.

read full article at Guardian

E.U. Parliament Passes Measure to Break Up Google in Symbolic Vote

Europe’s resentment of the American technology giant Google reached a new noise level on Thursday as the European Parliament passed a nonbinding vote to break up the company.

Although merely symbolic — the resolution carries no legal weight — the move came the day after a separate European body sought to further expand citizens’ “right to be forgotten” privacy protections against Google.

Both moves are also playing out against the backdrop of a long-running investigation by the European authorities of Google, on which the European Union’s new antitrust chief, Margrethe Vestager, is still getting up to speed.

read full article at NY Times

Cyber Security Needs Its Ralph Nader

It took thousands of unnecessary traffic fatalities to create an environment for radical transformation of the auto industry. What will it take for a similar change to occur in data security?

By every metric, driving an automobile is far safer today than it was in 1965, due to a combination of factors including government regulations and legislation, consumer awareness, and technology advances. The catalyst for all of this was one man: Ralph Nader.

Prior to 1965, car manufacturers had no real motivation to make safe cars because the cost of doing so did not justify the business benefits. But then Ralph Nader published Unsafe at Any Speed, a critique of the safety record of American automobile manufacturers. His advocacy injected the traffic fatality epidemic into the headlines, and a nation changed.

read full article at Information Week

How Can DPOs Leverage a New Role Under the Proposed Regulation?

Under the proposed General Data Protection Regulation, the function and tasks of the data protection officers (DPOs) are much more comprehensive and structured. At the IAPP’s Data Protection Congress in Brussels last week, four DPOs discussed how they expect their roles and responsibilities to change under the regulation and how they propose to leverage the opportunity.

Philippe Renaudière is DPO for the European Commission. He said while the number of complaints he receives yearly is limited, there’s always at least one that’s extremely serious and important, in which case the function of the DPO is to cooperate with the European Data Protection Supervisor (EDPS). But in general, from day to day, the role is much more pragmatic.

“That’s the first step: Raise awareness and create a culture of data protection. Train people,” said Renaudière. “I like that I’m a facilitator, because that’s my basic approach, my first approach to a problem. Normally, the commission is a decent institution with decent people who do decent things … It’s more a matter of explaining, defining the correct way.”

read full article at IAPP

A Blockbuster Wireless Auction

The eye-popping bids in the current auction of wireless frequencies by the Federal Communications Commission are a testament to soaring demand for mobile Internet service. 

As of last week, bids in the auction exceeded $38 billion, far more than the $10.5 billion reserve price set by the F.C.C. These frequencies, also known as spectrum, are needed to expand cellular networks so they can carry more phone calls and data.

The superheated bidding provides fresh evidence that the telecommunications industry is thriving despite protests by executives at companies like Verizon and AT&T that they are being stymied by regulation. Phone companies are upset that President Obama recently called for strong rules that would prohibit telecom companies, including wireless businesses, from creating fast and slow lanes on the Internet. His proposal needs to be approved by the F.C.C., an independent agency that is not obliged to do what Mr. Obama wants but that in this case should follow his direction.

read full article at NY Times

European Commission Finds Existing Technology Neutral Regulations Adequate For Drone Privacy

The European Commission published a comprehensive report evaluating the privacy impact of drones (referred to in the report as RPAS or remotely piloted aircraft systems), finding that Europe’s existing regulatory framework is adequate to address the emergent technology. 

The 378 page report found that the current European and Member State regulatory framework was “adequate to address the privacy, data protection and ethical impacts” of drones because those rules are technology neutral.  The report noted that rights to privacy and data protection frameworks in Europe included provisions for addressing various risks.  While the regulatory structure in Europe is adequate, the report noted that the biggest problems associated with drones may be educating the industry about their obligations, and enforcing the regulatory mechanisms that are already in place.  

The report’s authors also believed that drones should “include privacy-by-design features in all data collection and processing activities” (a reform I encourage U.S. legislators to consider in this white paper).

read full article at Forbes

The Extraterritorial Scope of the “Right to Be Forgotten” and how this Affects Obligations of Search Engine Operators Located Outside the EU

The information transferred through these networks is vast,mostly unfiltered and flows in an intangible area defined as “cyberspace”. The Courts’ recent judgment in the Google case aims at setting the boundaries to what search engine operators can and cannot do in the EU when their activities have implications to data protection rules, by determining (i) the territorial scope of such rules, (ii) the characterization of the activity of an internet search engine operator and (iii) the relevance of the “right to be forgotten” in this context. In a nutshell, the Court found that when it comes to non-EU based search engine operators, the mere existence of an affiliated company in the EU that sells ads associated with the search engine giant creates a presence in this territory and a data processor within the scope of the relevant EU Directive 

 full article at ENLR 3/2014 


 

Mergers: Commission approves aerospace and defence joint venture between Airbus and Safran, subject to conditions

The European Commission has concluded that the proposed creation of a joint venture for space launchers, satellite subsystems and missile propulsion between Airbus Group N.V. of The Netherlands and Safran S.A. of France is in line with the EU Merger Regulation. Both Airbus and Safran are active in the aerospace and defence industries. The decision is conditional upon the exclusion of Safran's activities in electric satellite thrusters from the joint venture, as well as on certain supply assurance commitments. 

The Commission had concerns that the joint venture could have shut out Airbus' competitors or limited their access to certain supplies, as well as transmitted strategic information to Airbus. The commitments offered by Airbus and Safran address these concerns.  

On 8 October 2014, Airbus and Safran notified plans to create a joint venture to which they would contribute their respective activities in space launchers, satellite subsystems and missile propulsion. In addition, Airbus and Safran intend to acquire, at a later stage, control over the satellite launch operator Arianespace. However, this would be a separate transaction and today's decision neither takes it into account nor prejudges the possible assessment of such a transaction in the future.

read full article at European Commission

State aid: Commission approves German renewable energy law (EEG 2014) for railway sector

The European Commission has found that a German scheme promoting electricity production from renewable energy sources and benefitting railway companies is in line with EU state aid rules. The Commission concluded that the aid is limited to compensating railway companies for the opportunity costs that arise from using rail transport rather than a more polluting mode of transport, and therefore furthers common transport objectives without unduly distorting competition in the Single Market.

The German Renewable Energy Act (Erneuerbare-Energien-Gesetz – EEG) 2014 provides support for electricity production from renewable energy sources and from mine gas. This support is financed by contributions levied on electricity consumers (the "EEG-surcharge"). The EEG 2014 grants certain energy-intensive users, including railway companies, reductions from the EEG-surcharge. These reductions constitute state aid because they give their beneficiaries an economic advantage over other companies who have to pay the full surcharge. 

The Commission verifies whether such aid is in line with EU state aid rules that allow granting aid to further certain objectives of common interest. The Commission assessed the EEG 2014 on the basis of the new Environmental and Energy Aid Guidelines, and approved it in July 2014. The EEG 2014 entered into force on 1 August 2014. However, specific state aid rules are in force for the railway sector. Therefore, the EEG-surcharge reductions for those companies had to be assessed separately under the provisions of the 2008 Railway Guidelines.

read full article at European Commission

Antitrust: Commission welcomes General Court judgment confirming its inspection powers in the area of electronic searches

The European Commission welcomes the judgment of the EU General Court (case T-272/12), dismissing an appeal by Energetický a průmyslový holding (EPH) and its subsidiary EP Investment Advisors (EPIA) against a €2.5 million fine the Commission imposed on them in 2012. EPH and EPIA were fined for obstructing a Commission inspection in an antitrust investigation, by failing to block an email account and diverting incoming emails. The judgment sends a clear message to companies that any steps that undermine the integrity and effectiveness of inspections, including tampering with data stored electronically, are illegal and will be sanctioned.

The Court confirmed that the Commission was right to consider both the failure to block an e-mail account and the diversion of incoming emails as serious breaches of EPH and EPIA's obligation to cooperate with the Commission during the inspection. In line with previous case law (cases T-141/08 and C-89/11P), the Court held that these two incidents constitute an obstruction in themselves; the Commission does not need to show that any document was actually removed or manipulated.

The Commission welcomes the Court's findings, because obstructions of inspections can severely undermine competition enforcement. The judgment makes clear that the Commission is entitled to impose appropriate and deterrent sanctions for companies' conduct that may result in destroying evidence of antitrust infringements, irrespective of whether it is stored in paper or electronic form.

read full article at European Commission

The General Court confirms the decisions ordering an inspection taken by the Commission against Orange in connection with a possible abuse of a dominant position

Orange (known as France Télécom until 1 July 2013) is a French public limited company which provides Internet access to companies and individuals. In 2011, a competitor known as Cogent lodged a complaint with the French Competition Authority, believing that Orange had abused its dominant position by a number of practices in the sector for reciprocal interconnection services in the area of Internet connectivity. In 2012, the Competition Authority found that the practices alleged against Orange were not substantiated or did not constitute an abuse of a dominant position.

In parallel, the Commission had opened a procedure against Orange into highly similar practices. After the Competition Authority’s decision, the Commission, by decisions of 25 and 27 June 2013,1 ordered Orange to undergo an inspection (‘the inspection decisions’). The inspection took place between 9 and 13 July 2013 on four of Orange’s premises. Taking the view that the Commission did not have the right to order that inspection on its premises in the circumstances of the case, Orange brought an action before the Court seeking the annulment of those decisions.

By today’s judgment, the Court dismisses Orange’s action and confirms the Commission’s inspection decisions. 

read full article at General Court

U.N. Urges Protection of Privacy in Digital Era (privacy is a human right)

The United Nations adopted a resolution on Tuesday urging all countries to protect the right to privacy in digital communications and to offer their citizens a way to seek “remedy” if their privacy is violated.

Though not legally binding, the resolution signaled growing international attention to the issue of digital privacy, which it described as a human right.

The measure passed by consensus in the General Assembly’s human rights committee, which meant that it was not put up for a vote. But it was a result of intense closed-door negotiations, and it set the stage for a showdown in Geneva next spring, when the issue is expected to go to the Human Rights Council. Privacy advocates are pushing for the United Nations to establish a special envoy.

read full article at NY Times