TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Top Privacy Stories of 2014, According to You Related reading: Federal data privacy regulation is on the way — That’s a good thing


Any editor at any given publication will tell you having too much content is a really good problem to have. The Privacy Advisor saw more content and contributors in 2014 than it has in any year prior. That’s thanks at least in part to the fallout from the Summer of Snowden in 2013, Europe’s impending data protection regulation and mainstream media headlines announcing a steady stream of reputation-crushing breaches at household-name companies like Target, Home Depot and Sony.

Below is a recap of the top 10 of 2014. Check out the stories that resonated most with your peers.

How To Measure Your Privacy Program Step by Step

If there’s any lesson we’ve learned here at the IAPP about the kind of content our readers want, it’s that you're looking for news you can use. Perhaps that’s why our piece on how to effectively evaluate the data that privacy pros collect did so well. It summarized Microsoft Senior Privacy and Safety Strategist Tracy Ann Kosa’s suggestions for attendees at the IAPP Canada Privacy Symposium on how to provide evidence of data privacy compliance, data-driven decision-making and the overall impact of the privacy program. “If you’re a big company with tons of resources, you probably have a risk process in place,” Kosa said. “If you’re a privacy officer in a smaller company, you are the risk process.”

The Court Says the FTC Can Punish Rule-Breakers, But What Exactly Are the Rules?

One reason privacy pros may want to demonstrate data privacy compliance, other than to justify budget asks or perhaps the worth of your job itself, is to stay off of regulators’ radar. But that’s something that may be more difficult to navigate than anticipated if cases like FTC v. Wyndham are any indication. In April, a judge denied Wyndham Hotels and Resort’s motion to dismiss the FTC lawsuit alleging Wyndham violated Section 5 of the FTC Act; The FTC alleged Wyndham violated both the “unfairness” and “deceptive” provisions of Section 5 because it claimed “industry-standard practices” in its privacy policy but failed to utilize basic protections, and customers suffered “substantial” harm as a result of its breaches. Privacy insiders largely cast the ruling as one of the most defining in privacy regulation and a big win for the FTC, but it elicited criticism that the FTC is enforcing concepts that aren’t well-enough defined for companies to keep themselves out of trouble even when acting in good faith.

What FTC Enforcement Actions Teach Us About the Features of Reasonable Privacy and Data Security Practices

Given cases like Wyndham, then, it’s no wonder readers were interested in a piece by IAPP Westin Fellow Patricia Bailin, CIPP/US, exploring how to stay out of trouble with the FTC. As part of the FTC Privacy Casebook project, the IAPP’s Westin Research Center is exploring FTC privacy and data security consent decrees to try to parse out what an acceptable level of privacy and data security could be to help privacy pros make good decisions within their organizations. Looking at FTC consent decrees, Bailin suggests possible guidelines for complying with FTC privacy and data security standards based on what the FTC has determined inadequate. In other words, by pointing out what companies did not have in their programs, the FTC provides a peek at what, in its opinion, these companies should have done. Read it if you missed it. Stay out of trouble.

EU Data Protection Regulation: A Tipping Point Has Been Reached

On the other side of the pond, there’s a debate going on as the EU works to revise its data protection regulation. You may have heard that’s something they’re trying to do? John Bowman of Promontory Financial Group has been keeping readers up-to-speed on the developments from Brussels, including the momentous occasion in November when it became clear the regulation will be finalized in 2015. On December 5, the proposed reg advanced one step further.

What Does the New European Commission Mean for Privacy?

While the regulation will mean sweeping changes for European data protection and privacy, so will a new commission. In September, IAPP Publications Director Sam Pfeifle looked at what the Financial Times called “one of the biggest overhauls of the EU executive in more than a decade.” The changes included two “high vice presidents,” five vice presidents and 20 commissioners, rather than the old format of 27 commissioners. Pfeifle noted those in the privacy world will want to pay particular attention to the “Digital Single Market” project team, headed by VP Andrus Ansip, who will oversee the conclusion of negotiations on Europe’s data protection reform as well as the review of the EU-U.S. Safe Harbor.

Article 29 Chair To Brill: DPAs Want Answers on Safe Harbor

Speaking of Safe Harbor, readers continue to be interested in the ongoing negotiations between the European Commission and the U.S. Department of Commerce, which oversees Safe Harbor. Perhaps that’s why there were so many clicks on our recent report out of Brussels on the live conversation between Article 29 Working Party Chairwoman Isabelle Falque-Pierrotin and the U.S. Federal Trade Commission’s Julie Brill. The chat was relatively benign until Safe Harbor became the focus. Then, Falque-Pierrotin got serious. “DPAs are expecting real answers. We will be very vigilant,” she said of watching to see that the U.S. makes good on its commitment to work on the European Commission’s 13 recommendations on how to make Safe Harbor safe from extinction.

Are You Ready for the Cookie Auditing Onslaught?

Talking Safe Harbor with the Americans isn’t all Falque-Pierrotin has been up to this year: She’s been busy as a regulator. The French Data Protection Authority (CNIL), which Falque-Pierrotin also heads, announced this summer that it would commence auditing websites and, for the first time ever, was able to do so remotely. The “cookie sweep,” which began in October, aims to garner a global view of privacy issues around the use of cookies and specifically looks at the purposes for which cookies are being used and whether the site editor is aware of them, as well as whether there are cookies that require consent. Digital analytics veteran Aurélie Pols offered tips on how to stay out of trouble.

Third-Party Vendor Management Means Managing Your Own Risk

Staying out of trouble can be difficult when more than simply one organization are involved. When third-party vendors get involved, things can get messy. Recognizing a need for education on this, K Royal, CIPP/US, CIPP/E, of Align Technologies, has been hard at work writing an eight-part series on the elements necessary for a successful vendor-management program. You can find all of the ongoing series, thus far, at the IAPP Resource Center.

Why Is PwC Hiring So Many Privacy Pros?

Besides practical advice like that given by Royal in her series on vendor management, we’ve learned here at the IAPP Publications Team that privacy pros like learning about each other; what each others’ daily tasks are, who reports to whom, what the greatest risks faced might be, maybe even who’s hiring. Our story on PwC’s recent recruitment of more than a dozen high-profile privacy pros had a lot of eyeballs on it.

Hewlett Packard First To Win Certification for BCRs, CBPRs

Finally, tactical advice on how to get the job done is always highly sought. As Safe Harbor continues to get negative press and as companies become more complex and global, binding corporate rules (BCRs) are increasingly an attractive alternative for transferring personal data globally. Hewlett-Packard recently became the first company to be approved under both the BCR and Cross-Border Privacy Rules frameworks. HP executives talk about the processes involved and what companies considering seeking approval under either system should expect.


If you want to comment on this post, you need to login.