US members of the Congress and Senators introduce legislation aiming on "addressing the conflict between cross border data flows and law enforcement requests for electronic communications" called "International Communications Privacy Act". Sounds like a reaction to #Privacy #Shield...
read the press release here
Thursday, May 26, 2016
Thursday, March 10, 2016
Verizon racks up $1.35M fine for violating consumer privacy
How much does your privacy cost? A cool $1.35 million, according to the Federal Communications Commission.
On Monday, the Federal Communications Commission said it had reached a deal with Verizon over the company's use of a technology that allowed marketers to track customers' web browsing so they could provide more targeted advertising. The so-called supercookies were hidden bits of code that couldn't be easily erased when consumers cleared their browsing history.
As part of the agreement, Verizon will pay the $1.35 million fine and shift from an opt-out policy to a more explicit opt-in policy for consumers. Now it will only share "supercookie" data with third parties if customers have decided to participate. The company will still be able to use the "supercookie" tracking information when customers connect to Verizon's corporate services to market its own services to its customers.
read full article at CNET
UK setting bad example on surveillance, says UN privacy chief
The UK is setting a bad example to the rest of the world with proposed changes to the law on surveillance, the United Nations special rapporteur on privacy has said.
The criticism by rapporteur Joseph Cannataci is made in a report presented to the UN Human Rights Council. The report deals with privacy concerns worldwide but Cannataci, concerned about developments in the UK, has devoted a section to the British bill.
He says the British government has failed to recognise the consequences of legitimising bulk data collection or mass surveillance. Instead of legitimising it, the government should be outlawing it, he says.
By Ewen MacAskill
read full article at Guardian
Penny Pritzker on the Privacy Shield Pact With Europe
The E.U.-U.S. Privacy Shield may, at first blush, sound like a pretty boring group of superhero characters. But the agreement, whose details were released late last month, will have a major impact on how companies collect, manage and use digital data transferred from Europe to the United States.
It places a greater onus on companies like Google and General Electric to ensure people’s digital information — from social media posts to employee payroll data — is not misused. The deal also forces the United States government to further limit what access the country’s intelligence agencies have to Europeans’ data when it is moved across the Atlantic.
The European Court of Justice, the region’s highest court, ruled last year that the previous data-transfer agreement was invalid because it did not provide sufficient protection for European citizens when their data was transferred to the United States.
By Mark Scott
read full article at NY Times
United States: Privacy Shield Takes Another Step Forward
Roughly three weeks ago EU and U.S. negotiators announced that they had reached agreement on a replacement for the Safe Harbor mechanism for compliance with European regulations on transfers of personal information to the United States. More than 4,000 U.S. businesses were reliant on Safe Harbor to allow them to receive data from Europe on EU-based customers and employees when, in October 2015, it was invalidated by the EU Court of Justice, creating great risk for the businesses that had relied on it. As we reported here, representatives of the U.S. and the EU had already missed the deadline set by European privacy regulators to satisfactorily replace Safe Harbor or see the flow of data to the U.S. cease when a deal was struck even as the deadline in fact passed. The trouble with the February agreement was that the negotiators had nothing to show the regulators beyond an outline of the principles underpinning the deal.
The European regulators' body, known as the Article 29 Working Party ("Working Party"), with which the European Commission ("Commission") must consult on data protection matters, adopted a "wait and see" attitude after the Privacy Shield announcement. However, to avoid a data flow interruption, the Working Party gave U.S. and EU officials an end of February deadline to disclose the details of the Privacy Shield for its review.
On the last day of February, just within the deadline set by the Working Party, the European Commission released the details of the Privacy Shield agreement announced four weeks earlier. Accompanying that text was a draft decision of the Commission declaring that the Privacy Shield will provide adequate protection to the privacy rights of EU citizens whose private information will be transferred to the U.S. under its terms. A decision with respect to the adequacy of a data protection mechanism by the Commission is a predicate under the Data Protection Directive to the lawful transfer of personal data outside the EU.
By Scott J. Wenner
Schnader Harrison Segal & Lewis LLP
read full article at Mondaq
FCC Plans to Expand Low-Income Assistance to Broadband Ahead of Privacy Rules
This morning, FCC chairman Tom Wheeler posted a lengthy letter to his office's website that laid out the Commission's plans for Lifeline, a federal program which provides a $10 per month subsidy to the lowest-income Americans for wired phone services. In 2013, the program provided $1.8 billion in subsidies to 14.2 million people.
"We can recite statistics all we want," Wheeler writes, "but we must never lose sight of the fact that what we’re really talking about is people -- unemployed workers who miss out on jobs that are only listed online, students who go to fast-food restaurants to use the Wi-Fi hotspots to do homework, veterans who are unable to apply for their hard-earned benefits, seniors who can’t look up health information when they get sick."
To that end, Wheeler is set to propose an overhaul to the Lifeline program that would extend its purview to broadband access.
By Andrew Flanagan
read full article at Billboard
ACLU Urges Feds To Adopt Privacy Rules For Broadband And Cable
A coalition of privacy groups including the American Civil Liberties Union, the Electronic Privacy Information Center, and New America's Open Technology Institute wrote to the Federal Communications Commission Monday calling on the telecom regulator to limit how broadband and cable providers use personal data about viewing and browsing habits.
"ISPs currently play a leading role in the complex ecosystem of online behavioral advertising and related forms of data-driven, targeted marketing," the groups warned. "These companies are showing an increased interest in monetizing the data they collect about their customers, and they are leveraging their position as gatekeepers to the Internet to harness this data in powerful and invasive ways."
Verizon has in place sophisticated ad-targeting and consumer-tracking technology for mobile users, and Comcast has said it would share cable set-top box analytics data with its NBCUniversal content division, the groups said.
By Steven Melendez
read full article at FastCompany
Overnight Tech: FCC Internet privacy rules loom
Thursday is the deadline for the agency to put items on the tentative agenda for the March open meeting. Which means we could get our first information tomorrow on Chairman Tom Wheeler's anticipated plan to police privacy at broadband providers.
Wheeler talked about the privacy issue in a laudatory Verge interview (headline: "The Dragonslayer") released Wednesday.
"When these companies were operating as phone companies, the information generated by a phone call couldn't be released unless the consumer said so," he said, after identifying privacy as the next big net neutrality battleground. "You've got to ask yourself the question: why is the information generated by an internet search different?"
By David McCabe and Mario Trujillo
read full article at The Hill
Privacy groups want rules for how ISPs can track their customers
Some Internet service providers are building powerful tools to track customers, and the U.S. Federal Communications Commission needs to step in, privacy advocates say.
Some privacy advocates are calling on the FCC to create new regulations that limit how ISPs can track their customers across the Internet. The agency could release a proposal for ISP privacy rules as soon as this month, FCC Chairman Tom Wheeler said last week.
Some ISPs are deploying "invasive and ubiquitous" tracking practices as a way to deliver targeted advertising to customers, 12 privacy groups said in a letter to the FCC this week. In recent years, large ISPs like Comcast and Verizon have entered into advertising partnerships or launched their own advertising services that take advantage of ISP customer data, the letter said.
By Grant Gross
read full article at PC World
Cable, Wireless Companies Face New Privacy Rules
U.S. Federal Communications Commission officials soon will seek to impose new customer-privacy rules on Internet access providers, a move expected to fuel an already fierce conflict with the industry.
The new rules, which could be brought up at an FCC meeting as soon as this month are intended to help shield tens of millions of consumers from potentially unwanted use of their Internet data by the providers, many of whom are looking to boost profits by using customer data to sell more targeted advertising online.
The Internet access companies—which include cable and wireless firms—are digging in for a regulatory fight, arguing that tough new FCC rules could put them at a disadvantage, particularly against Internet-services firms such as Alphabet Inc.’s Google unit or Facebook Inc. that wouldn’t be covered by the new FCC rules.
By John McKinnon
read full article at WSJ
Europe’s Protectionist Privacy Advocates
Max Schrems is no hero. The Austrian privacy activist was hailed in some quarters last fall for helping bring down the 15-year-old Safe Harbor pact that facilitated digital trade worth more than $250 billion annually between Europe and the U.S. But he is unwittingly reducing his fellow Europeans’ right to privacy, forcing businesses to pay needless costs and fanning the flames of protectionism.
A graduate student at the University of Vienna, the 28-year-old Mr. Schrems made headlines after the Edward Snowden story broke in 2013 by filing a series of lawsuits against Facebook for not taking adequate safeguards to protect its users from National Security Agency surveillance.
By Roslyn Layton
read full article at WSJ
Wednesday, March 2, 2016
Licensing online gambling in Greece and the OPAP conflict
Greece’s monopoly gambling operator OPAP is seeking in excess of €1b in damages as a result of the Government’s “abrupt and counterproductive interventions” in its business. The Greek Government also recently announced its intention to establish a new licensing regime for online gambling.
By Spiros Tassis
read full article at Linkedin
Tuesday, February 16, 2016
New ACLU Guide: Tips for Tech Companies on Protecting User Privacy and Free Speech in 2016
This third edition addresses new challenges facing businesses today and shows how to avoid missteps while building privacy and free speech into products and company culture. The lessons include:
By Nicole A. Ozer
read full article at ACLU
Respect your data. Avoid Magna Carta-level mistakes by collecting only the data you need for your product and making sure that your algorithms and data use protect users andavoid replicating real world biases.
Create a secure data ecosystem. Security isn’t just about outside threats – companies need to limit internal access to data to avoid Uber-embarrassment, incorporate encryption for data collection and storage to prevent disastrous breaches, and collaborate with security researchers to protect users.
Be transparent about practices. Clear descriptions of privacy practices are essential to avoiding PR disasters, whether the product is a music streaming service, a useful app, or a connected “Internet of Things” device.
Encourage speech by empowering users. Companies can create cohesive communities and avoid harmful, speech-chilling harassment by creating platforms with tools that empower users, account policies that respect user identities, and narrow rules focused on bad behavior rather than content censorship.
Fight for your users. Companies that support user privacy and speech protections routinely receive praise, while those that seek to limit how products are used or that fold to legal demands lose the trust of users and public alike.
By Nicole A. Ozer
read full article at ACLU
EU’s ‘Right to Be Forgotten’ policy sets bad precedent for free expression
Last week’s announcement that Google will begin suppressing links to URLs not only for searches on EU country-level domains, but also for searches conducted from within EU countries, is bad news, write Jens-Henrik Jeppesen and Emma Llansó.
Jens-Henrik Jeppesen is director for European affairs and Emma Llansó is director for the Free Expression Project at the Center for Democracy and Technology.
The move is the latest development in the debate over the “right to be forgotten”. In 2014, the Court of Justice of the European Union found that under the data protection directive, people in the EU have a right to demand that search engines de-list URLs linking to information that is “inadequate, irrelevant or no longer relevant, or excessive.”
We are sympathetic to people distressed by information about them in the public domain, we understand the desire to suppress such information in certain contexts, and we support targeted and proportionate policies to protect individuals’ right to privacy.
But our overriding concern with the Google Spain v AEPD Mario Costeja Gonzales ruling that triggered the right to be forgotten is that it enables broad restriction of access to lawful, public information, inevitably curbing free expression.
By Emma Llansó, Jens-Henrik Jeppesen
read full article at EurActiv
Article 29 Working Party lays out GDPR action plan
Last week, in a highly anticipated presser, the Article 29 Working Party shared its preliminary assessment of the proposed EU-U.S. Privacy Shield agreement. Lost amidst this anticipation, however, was an equally significant announcement from the regulatory collective’s head, Isabelle Falque-Pierrotin, regarding the group’s action plan for the implementation of the General Data Protection Regulation.
While the mandatory DPO doesn't come into force until 2019 at the earliest, and mechanisms like the European Data Protection Board and the one-stop shop won't be operational until 2018, look for guidance to be released on what those efforts will look like, along with guidance for controllers and processors on high-risk assessments and the operationalizing of data portability, before the end of the year.
by Jedidiah Bracy, CIPP/E, CIPP/US
read full article at IAPP
‘I have nothing to hide’ is killing the privacy argument
The newfound interest in privacy is similar to previous debates on the same topic. What causes outrage today is quelled tomorrow and then ultimately forgotten until something else stirs the waters.
In the 2000s we had Echelon and Carnivore, two covert programs used by government agencies to monitor communications.
Later, we had Julian Assange and Wikileaks helping to further the fight by bringing attention to similar programs.
More recently, it was Edward Snowden detailing the newest incarnations of government spy tools known as XKeyscore and PRISM.
Today, we have GCHQ fanning the flames, the NSA continuing its spying programs (only this time, with transparency) and politicians waxing poetic about the dangers of this newfound tool that facilitates terrorism, encryption.
by Bryan Clark
read full article at The Next Web
The Business Implications of the EU-U.S. “Privacy Shield”
Last week, the U.S. and EU announced a tentative agreement to allow U.S. companies to continue sending and receiving personal information about EU residents across EU borders — everything from an online employee directory for a multinational company to a Facebook profile stored in the cloud.
An earlier agreement, known as the Safe Harbor Privacy Principles, which went back 15 years and was relied on by some 4,000 companies, was declared illegal last year based on concerns, highlighted by the Edward Snowden disclosures, that compliance with surveillance requests from U.S. government agencies, notably the NSA, may have put U.S. companies into conflict with the EU’s broadly written privacy directives.
by Larry Downes
read full article at Harvard Business Review
ISPs want “flexible” privacy rules that let them “innovate” with customer data
Broadband industry lobby groups urged the Federal Communications Commission on Thursday not to impose privacy rules that dictate "specific methods" of protecting customer data, since that would prevent "rapid innovation."
ISPs should have "flexibility" in how they protect customers' privacy and security, said the letter from the American Cable Association, Competitive Carriers Association, Consumer Technology Association, CTIA, the Internet Commerce Coalition, the National Cable & Telecommunications Association, and USTelecom. Together, these groups represent the biggest home Internet service providers and wireless carriers such as Comcast, AT&T, Verizon, Time Warner Cable, Charter, Sprint, T-Mobile, and many smaller ones.
by Jon Brodkin
read full article at The Register
FCC poised to flex new privacy powers
Before the net neutrality ruling, the Federal Trade Commission policed privacy at both Internet service providers and online companies like Google and Facebook, using the same standards.
“Well, I think essentially, the key point is that consumers have certain expectations as to how their private information will be treated,” said Lynn Follansbee, a vice president for law and policy at USTelecom, which represents broadband providers.
“And we just take a position that no matter, across the whole Internet ecosystem, no matter what kind of technology is involved, consumers shouldn’t be surprised."
The privacy fight stems from the net neutrality rules approved in a party-line vote by the FCC a year ago.
The commission treated Internet service providers like traditional phone service to apply new rules requiring all Web traffic to be handled in the same way. That left the FCC in the difficult spot of applying privacy regulations for phone companies to broadband providers. Those rules protected information on whom a customer called and when, for example.
But applying those regulations directly to new technology would have been a tall order for the agency. The commission decided last year to instead create new regulations exclusively for broadband service.
By David McCabe
read full article at TheHill
Instagram’s multi-account feature has a privacy bug on Android
Users welcomed Instagram’s new multi-account feature earlier this month but it seems that there are some teething problems.
Some people using Android phones have reported that they are receiving private notifications and DMs intended for the other people who have mutual access to an account.
by Amanda Connolly
read full article at TheNextWeb
8 Ways To Secure Data During US-EU Privacy Fight
The EU-US Safe Harbor that governed the flow of data between the US and European Commission countries is dead, and there's no formal framework text to replace it yet. The result is a lot of legal uncertainty for many organizations when it comes to transatlantic transfers of data. It may be weeks or months before the dust settles. What do enterprises need to know now?
First, some background. On October 6, 2015, the European Court of Justice invalidated the EU-US Safe Harbor framework in the Maximilian Schrems v Data Protection Commissioner case. A couple of weeks later, the Article 29 Working Party issued a statement about the practical effects of the ruling. The group urged businesses to proceed very carefully. Then on February 2, 2016, the European Commission (EU) announced it and the US had agreed on a new framework for transatlantic data flows called the EU-US Privacy Shield, but because no text is yet available, the framework cannot be interpreted.
by Lisa Morgan
read full article at InformationWeek
How the new EU privacy regulations will help consumers
I’ve recently asked hundreds of people whether they knowingly allow their smartphones to be tracked and mined for data on their movements, and only two have so far said yes.
Even a recent meeting of 25 data scientists from the UK Geospatial Institute found only one person who knew about this. This small finding highlights how unaware most people are that their location privacy is being intruded upon by big tech companies every moment of every day.
By Gary Flood
read full article at ITproportal
Justice Scalia: Underappreciated Fourth Amendment Defender
In addition to his many judicial bona fides, Justice Antonin Scalia was an underappreciated defender of the Fourth Amendment. With his typical thoroughness and deep textualism that reshaped American judging, the late conservative icon threw out convictions of individuals who were arrested as a result of unconstitutional violations. In Kyllo v. United States (2001), police illegally took thermal images of a man’s home to find a marijuana grow operation. In United States v. Jones (2012), a man had his Jeep tracked with GPS devices without a warrant, leading to a drug trafficking conviction. And in Florida v. Jardines (2013), police brought a drug dog onto a man’s porch to indicate drug activity inside, again, a marijuana grow operation. To Justice Scalia, the sanctity of a person’s home and property—beyond the “reasonable expectation of privacy” standard that dominates Fourth Amendment jurisprudence—was to be held above the governmental interests in fighting crime.
In Kyllo, Scalia wrote for a divided 5-4 majority that included Justices Clarence Thomas, Ruth Bader Ginsburg, David Souter, and Stephen Breyer: “The Fourth Amendment’s protection of the home has never been tied to the measurement of the quality or quantity of information obtained….In the home, our cases show, all details are intimate details, because the entire area is held safe from prying government eyes.” In Jardines, another non-traditional 5-4 split in which he was joined by Justices Thomas, Ginsburg, Sonia Sotomayor, and Elena Kagan, Scalia affirmed this dedication to the home, writing “[W]hen it comes to the Fourth Amendment, the home is first among equals.”
By Jonathan Blanks
read full article at CatoInstitute
Solving disputes online: New platform for consumers and traders
The Online Dispute Resolution (ODR) platform offers a single point of entry that allows EU consumers and traders to settle their disputes for both domestic and cross-border online purchases. This is done by channeling the disputes to national Alternative Dispute Resolution (ADR) bodies that are connected to the platform and have been selected by the Member States according to quality criteria and notified to the Commission..
Key features of the platform:
The platform is user-friendly and accessible on all types of devices. Consumers can fill out the complaint form on the platform in three simple steps.
The platform offers users the possibility to conduct the entire resolution procedure online.
The platform is multilingual. A translation service is available on the platform to assist disputes involving parties based in different European countries.
read full article at EuropeanCommission
Thursday, February 4, 2016
EU privacy rules may hit Internet giants hard
U.S. Secretary of Commerce Penny Pritzker assured attendees at the World Economic Forum in Davos, Switzerland, last week that the two sides were working hard on a comprehensive agreement, but she conceded that stumbling blocks remained over mass surveillance by U.S. security agencies and the right of European citizens to review their personal information.
Without a new deal, U.S. Internet companies could be forced to keep European customer data separate, adding complexity to their already far-flung operations and raising their costs. This week Facebook announced it was setting up its second data center in Europe, possibly positioning itself in case it needed to segregate European customer data. In addition, the French newspaper Le Monde reported Thursday that Google was also taking steps to allow European citizens to delete their information, meeting an EU demand that consumers be given a right to be "forgotten."
Talks have been under way for two years to revise the 15-year-old Safe Harbor Agreement, which gave U.S. companies blanket legal protection to transfer European customer information across the Atlantic. However, negotiations became more urgent last October when the European Court of Justice unexpectedly ruled that Irish authorities (where Facebook and other U.S. tech companies have European headquarters) had failed to adequately protect the privacy of European citizens.
by Joel Dreyfuss
read full article at CNBC
EU Privacy Regulators Delay Possible Crackdown on Data Transfers to U.S.
European Union privacy regulators said Wednesday they will postpone a possible crackdown on trans-Atlantic transfers of personal details about Europeans until March or April, offering a temporary reprieve that still leaves thousands of companies on uncertain legal footing in Europe.
A body representing the EU’s 28 national data protection authorities said they would take time to evaluate a last-minute, data-sharing accord, agreed by the EU and the U.S. on Tuesday, to determine whether the U.S. has made binding commitments that protect the privacy of EU residents when their data is stored on servers located on U.S. soil. The regulators had previously said they would begin enforcing a landmark court ruling that invalidated a prior data-sharing framework if the EU and U.S. couldn’t arrive at a new deal.
The court had argued the prior framework exposed Europeans to mass surveillance by the U.S. government, but regulators decided Wednesday that the new agreement—dubbed Privacy Shield—meant they had to take a fresh look.
By Sam Schchner and Natalia Drozdiak
read full article at Wall Street Journal
European Privacy Regulators Want Details on ‘Safe Harbor’ Data Deal
Europe’s national privacy agencies demanded more details on Wednesday about whether the European Union’s new data transfer agreement with the United States would adequately protect individuals’ personal information.
The move by the privacy regulators, which represent individual countries within the 28-nation European Union, indicates an unwillingness to accept the word of officials in Brussels that they can adequately safeguard citizens’ personal data.
The group asked the European Commission, the executive arm of the European Union, to provide a fuller explanation of how safeguards would work and to explain how Europeans could seek legal redress in the United States if they believed their data was misused.
By Mark Scott
read full article at NY Times
EU-US Data Transfers Won’t Be Blocked While Privacy Shield Details Are Hammered Out, Says WP29
A mote of certainty for US businesses that export EU data for processing and are wondering whether or not they are in compliance with EU law right now, given the legal quagmire of EU-US data protection relations. The Article 29 Working Party, the body made up of representatives of individual European Member States’ data protection authorities (DPAs), has said today that it will not be taking enforcement action against companies that are using alternative transfer mechanisms in the wake of last year’s Safe Harbor strikedown.
The European Court of Justice invalidated Safe Harbor last October, following a legal challenge brought by European privacy campaigner Max Schrems, but the European Commission pointed companies to alternative transfer mechanisms they could use in the interim, such as standard contractual clauses and model contracts.
The WP29 has been assessing these mechanisms for the past few months, and said today that it does have concerns about their legality, in light of US government agencies’ access to European citizens’ data for surveillance purposes. However it is suspending these concerns temporarily while it waits to see details of the new data transfer deal, the EU-US Privacy Shield, announced yesterday by the European Commission.
by Natasha Lomas
read full article at Tech Crunch
The new transatlantic data “Privacy Shield”
THE EUROPEAN Union and America have reached a deal on data protection. The “EU-US Privacy Shield” allows companies to store Europeans’ personal data on American computers. This ends a three-month hiatus since the European Court of Justice struck down the previous agreement, “Safe Harbour”, on the grounds that it gave insufficient protection against snooping by American spy agencies. Failure to reach a deal could have sparked a damaging legal spat, in which some European national data protection agencies could have ruled illegal all transfers of data across the Atlantic.
A transatlantic gulf separates ideas about data privacy: EU law sees it as a cherished human right; in America, it is more about consumer protection. Moreover, America’s National Security Agency (NSA)—the biggest and most powerful electronic-intelligence agency in the world—sparks fears in Europe of untrammelled snooping. The EU has no intelligence agencies of its own—so the tradeoffs between security and privacy which exist at national levels (where spymasters cooperate gladly and gratefully with the NSA) are invisible. Caught in the middle are the internet and technology companies: big ones could set up Europe-only data centres; small ones might find that doing business across the Atlantic was just too much trouble.
read full article at The Economist
New privacy notices code 'developed with compliance with the General Data Protection Regulation in mind', says ICO
The UK's data protection watchdog has proposed updates to its privacy notices code of practice which it said accounts for near-finalised new EU General Data Protection Regulation (GDPR).03 Feb 2016
In its draft new privacy notices code of practice, the Information Commissioner's Office (ICO) advocates that companies use a "blended approach" to informing consumers about how they intend to use their personal data.
The ICO said that to meet obligations set out under data protection laws on the fair processing of personal data businesses should only use data "in a way that people would reasonably expect" and after thinking about the impact such data use would have on those individuals. In addition, businesses must ensure "people know how their information will be used".
read full article at Out Law
Goodbye Safe Harbour, hello Privacy Shield – but what does that really mean for your data?
Privacy Shield, rebranded to prevent any association with its predecessor, is designed to offer new safeguards around access to data by public authorities and give citizens the right to take legal action against companies using their data. It will also create an independent ombudsperson role and have an annual review procedure.
The commissioner said in a press conference today that this will take just three months to implement. She also made assurances that the rules would still be suitable when new data protection regulations come into force in 2018.
Although this appears to offer some guarantee for big tech companies like Facebook, Amazon and Google that they will still be able to move data freely and therefore not have to increase costs to the public, it still has political hurdles to clear first.
by Kirtsy Styles
read full article at The Next Web
Looks Like Data Will Keep Flowing From the EU to the U.S. After All
The European Union and United States have struck a last-minute deal on keeping transatlantic data flowing — and it should mean tough new obligations for both American companies and intelligence services.
This really went down to the wire: An end-of-January deadline for agreeing on the successor to the struck-down Safe Harbor agreement passed with no deal, and EU privacy regulators are meeting today and tomorrow to discuss their crackdown on companies that are sending EU citizens’ data to the U.S. without legal backup.
by David Meyer
read full article at Fortune
EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield Strasbourg, 2 February 2016
The College of Commissioners approved the political agreement reached and has mandated Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put in place the new arrangement. This new framework will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.
The new arrangement will include the following elements:
Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
read full article at European Commission
Friday, January 8, 2016
Uber agrees to enhance user privacy in settlement
New York's attorney general has announced a settlement with Uber requiring the car service app to protect riders' personal information.
The agreement follows an investigation by the AG's office amid reports that Uber executives had access to riders' locations and displayed it in an aerial view, known internally as "God View."
read full article at CrainsNewYork
FTC’s credibility tarnishes as its privacy offensives grow
Having worked for an FTC commissioner, I've seen first hand the commission's regulatory successes. Imbued with the powers of competitive oversight and consumer protection, the Federal Trade Commission (FTC) was a beacon for other governmental agencies.
Unfortunately, times have changed. The commission's recent obsession with media exposure has darkened the FTC's luminescence. The FTC has forgotten its core foundational tenet: identify practices that actually harm consumers.
By Carl Szabo
read full article at TheHill
Snooper's charter would be out of date in five years, says defence industry
The accelerating pace of technology means the government’s landmark snooper’s charter bill will only have a limited shelf life and will need to be revisited within five years, Britain’s defence and security industry has told MPs and peers.
They have warned that there are serious questions over whether fundamental parts of the new law that will overhaul of surveillance powers will be relevant in the near future as the technological landscape changes.
by Alan Travis
read full article at TheGuardian
U.S. Department of Homeland Security Best Practices for Protecting Privacy, Civil Rights & Civil Liberties In Unmanned Aircraft Systems Programs
As co-chairs of the Department of Homeland Security’s (DHS) Privacy, Civil Rights & Civil Liberties Unmanned Aircraft Systems Working Group (DHS Working Group), we are pleased to present these best practices, which reflect DHS’ experiences in building unmanned aircraft system programs founded on strong privacy, civil rights, and civil liberties protections. Unmanned aircraft systems are an essential tool in DHS’s border security mission and present a great deal of promise for assisting first responders and improving situational awareness. These best practices represent an optimal approach to protecting individual rights that is influenced by U.S. Customs and Border Protection’s (CBP) ten years of experience using unmanned aircraft systems as a tool in protecting and securing the Nation’s borders.
We are sharing these reflections broadly, recognizing that government entities (including CBP) have various limitations based upon their respective missions, operating characteristics, and legal authorities, and that many of the considerations that apply to our agency may not be applicable or appropriate for other entities. The DHS Working Group neither proposes nor intends that this document regulate any other government entity. Our goal, rather, is simply to share the best practices we have identified as helping to sustain privacy, civil rights, and civil liberties throughout the lifecycle of an unmanned aircraft systems program.
Key U.S. Cybersecurity Provisions Signed into Law
Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Years in the making, CISA is intended to incentivize organizations to share cyber threat indicators with the federal government and to promote the dissemination of this information to organizations facing similar threats. CISA sponsors and supporters hope that such information exchange will help organizations prepare for and respond more effectively to cyber threats.
In addition to CISA, the spending bill included a number of other cybersecurity provisions covering topics ranging from federal preparedness to foreign policy strategy. Most notably, the bill directs the Department of Health and Human Services (HHS) to develop cybersecurity best practices for organizations in the healthcare industry. The bill also directs federal agencies to create new plans to fortify federal information systems and identify cyber-related gaps in the federal workforce.
by Hogan Lovells
read full article at IAPP
NIS + GDPR = A New Breach Regime in the EU
European lawmakers capped off a blockbuster week for privacy with an important step towards the first comprehensive information security legislation in the EU. The Network Information Security (NIS) Directive was initially proposed by the European Commission in February 2013 to raise cybersecurity capabilities across the EU’s 28 member states. After more than two years of negotiation, the European Council reached an informal agreement with the Parliament on December 7, and the agreed text was approved by the Member States December 18.
The text now must undergo “technical finalisation,” and then needs to be formally approved by both the Council and the Parliament, which is expected, according to the Council, this spring. Member States will then have 21 months to implement the Directive into law, passing their own legislation in accordance with the Directive.
by Gabriel Maldoff
read full article at IAPP
Researchers investigate the ethics of the Internet of Things
Researchers at nine UK universities will work together over the next three years on a £23m ($33.5m) project to explore the privacy, ethics, and security of the Internet of Things.
The project is part of 'IoTUK', a three-year, £40m government programme to boost the adoption of IoT technologies and services by business and the public sector.
By Steve Ranger
read full article at ZDNet
The project is part of 'IoTUK', a three-year, £40m government programme to boost the adoption of IoT technologies and services by business and the public sector.
By Steve Ranger
read full article at ZDNet
Subscribe to:
Posts (Atom)