News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Global News Roundup Related reading: MedData data breach lawsuit settled for $7M

rss_feed

""

""

Nigeria and Turkey are both considering government-proposed legislation that would require service providers to turn over to law enforcement customers’ data upon request—with fines, and possible jail time for executives, for noncompliance in Nigeria. In the U.S., senators are addressing breach response and online privacy concerns with bills of their own as the fallout continues from the Target and Neiman Marcus breaches as well as the Snowden revelations. And in Australia, the deadline for the Australian Privacy Principles looms large. The Privacy Tracker’s weekly legislative roundup covers all this and more. 

Latest News

Nigerian Bill Would Increase Authorities’ Access to E-Communications
Nigerian President Goodluck Jonathan has submitted a bill to the National Assembly that would allow security agents to “intercept and record electronic communications between individuals and seize usage data from Internet service providers and mobile networks,” reports AllAfrica. The Interception of Electronic Communications bill states, in circumstances where the “content of any electronic communication is reasonably required for the purposes of a criminal investigation or proceedings, a judge may on the basis of information on oath” order a service provider to turn over, record or retain consumer data or assist authorities in doing so. The penalty for noncompliance is N10million for service providers and for company directors, managers or officers, a three-year jail term, N7 million fine or both, the report states. While some see the law as a help in fighting cybercrime and terrorism, others see it as a “direct assault on some of the most important of our individual freedoms.”

Turkish Internet Bill Would See ISPs Retaining Data for Two Years
The Turkish government has proposed a bill that would give the country’s telecommunications authority the ability to block websites deemed to violate privacy and require Internet providers to retain users’ data for two years to be made available to authorities upon request, reports the Associated Press. Some say the bill will bring censorship in Turkey to new heights and worsen press freedoms, but the government denies the accusations and says it will protect privacy. In this Deutsche Welle interview, Istanbul communications instructor Erkan Saka outlines what effect the law may have on citizens, saying, “The government's access to personal data may be the worst aspect of the law.”

U.S. Sens. Introduce Data Breach, Privacy Rights Legislation
A number of U.S. senators have introduced data security and breach notification legislation following the Target and Neiman Marcus incidents.

Sens. Diane Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR) and Bill Nelson (D-FL) have introduced the Data Security and Breach Notification Act. The bill would require the Federal Trade Commission to release a set of security standards for businesses holding consumer data.

Sens. Richard Blumenthal (D-CT) and Ed Markey (D-MA) introduced the Personal Data Protection and Breach Accountability Act prior to Tuesday’s NTIA hearing. The act aims to deter preventable breaches, minimize consumer harm and promote information-sharing between federal agencies, law enforcement and the private sector, reports Dark Reading. 

Sen. Robert Menendez (D-NJ) has announced plans to introduce the Commercial Privacy Bill of Rights. The bill aims to “give consumers the protections they need, create common-sense accountability measures for businesses so our personal information is not held hostage to the power of our technology, place limits on both the type of information businesses may collect and limit how long they can retain that information,” Menendez said in his announcement.

California AG Sues Over Delayed Breach Response
The California Attorney General’s Office (CA AG) has filed a complaint against Kaiser Foundation Health Plan, Inc., saying the company’s data breach and subsequent delayed notification violate the state’s unfair competition law, David Navetta writes for InfoLaw Group. The CA AG alleges that prior to the completion of Kaiser’s analysis of the breach, “it had sufficient information to notify at least some affected individuals,” Navetta writes, adding, “In the eyes of the CA AG, the failure of Kaiser to provide notice on a rolling basis, even if its investigation was not complete, amounted to a failure to provide notice ‘in the most expedient time possible and without unreasonable delay’ under California’s breach notice law.”

California Assemblywoman Proposes Victim Privacy Bill
Assemblywoman Toni Atkins (D-San Diego) has introduced AB 1623, which would ensure that victims of domestic violence are not denied help at family justice centers if they are undocumented immigrants or have a criminal history, reports The San Diego Union-Tribune. The bill would also mean family justice centers would not be allowed to share certain information on victims with law enforcement or other agencies without the victims’ consent.

Kentucky Bill Would Prohibit Selling of Student Data
The Kentucky Senate Education Committee has unanimously approved a bill that would prevent the sale of student data by technology companies,  require school districts to post lists of all third-party web-based services they use and provide for agency audits of schools’ data collection practices, reports the Associated Press. Sen. Jimmy Higdon (R-Lebanon) notes that these protections are similar to those used to protect government data in the state, adding, students do not “have a choice when it comes to the online services they use … No company in a position to store private, school data should be able to sell that data for profit."

Minnesota DPS Privacy Policy Brings Concerns for Insurance Availability, Cost
The Minnesota Department of Public Safety’s (DPS) new privacy policy means that it will not share drivers’ data in bulk anymore, as all other states do. KAALtv reports that the DPS will now charge $5 per record and records will only be available during business hours through a secure online system. While the state says, "This will increase data security, improve accountability and ensure that DPS will be able to audit all users,” Mark Kulda of the Insurance Federation of Minnesota says these are costs that will be passed on to customers and has concerns that residents will not be informed of recalls or be able to prove driving history for better insurance premiums.

New Hampshire Considering Student Social Media Bill
A New Hampshire Senate committee held a hearing on Tuesday to consider a bill that would prohibit colleges and universities from asking for access to students’ and prospective students’ social media sites, reports the Associated Press.

NJ Bill Would Require Cos To Contact Consumers Directly After Breach
New Jersey Assemblywoman Linda Stender (D-Union) has introduced legislation to toughen data breach notification standards by removing the ability of companies to use “substitute notice” as a means to notify customers affected by a large data breach, among other provisions. Law360 reports that New Jersey currently requires companies to notify residents upon reasonable belief that an unauthorized person accessed their data but provides for notice in the form of “contacting statewide media and posting a notice on its website” in the event of breaches affecting more than 500,000 people or costing more than $250,000. (Registration may be required to access this story.)

 U.S.

Sen. Wants Data Brokers To Name Clients
The head of the Senate Commerce Committee wants data brokers to disclose the names of their clients—especially those that categorize people as financially vulnerable or by their health status, MediaPost reports. Sen. Jay Rockefeller (D-WV) wrote a letter to Acxiom, Epsilon, LexisNexis, NextMark and MEDbase 200 asking that they name all of their clients for the last five years. Rockefeller’s concerns include that customers are being treated unfairly as a result of the personal data stored on them. He recently said he’s “revolted” by reports that brokers sell such lists as “genetic disease sufferers.”
Full Story

Legislators Considering Regulating Biometrics
Florida lawmakers are considering legislation “to sharply regulate the use of fingerprint, palm print, iris scans and other biometric identification systems,” Reuters reports. The legislators are examining the issue in the wake of outrage from parents who learned last year that “students' eyes were being scanned as a condition of boarding school buses in central Florida's Polk County School District.” The Florida Senate Education Committee is reviewing a bill “that would require school districts choosing to use biometrics to establish strict policies on the public disclosure, use and maintenance of the stored data, and require parents to choose to participate in the program before their children's data is taken,” the report states.
Full Story

CA AG To Release Best Practices for DNT Compliance
California Attorney General (AG) Kamala Harris is planning to soon release final best practice guidelines for compliance with California’s new Do-Not-Track (DNT) law, MediaPost News reports. AB 370 amends California’s privacy statute by requiring some web companies to disclose how they respond to DNT requests and state in their privacy policies whether third parties have access to tracking data. “Say what you do, and do what you say,” is the bottom line, said Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, the AG’s director of privacy education and policy. Editor’s Note: For more on complying with the new law, see The Privacy Advisor exclusive, “How Should I Respond to California’s Do-Not-Track Requirements?
Full Story

Lawmakers Optimistic Data Privacy Law Will Pass; PCI DSS "Remains Solid"
While SC Magazine reports on the current state of global data breach legislation, The Hill reports some U.S. lawmakers are optimistic that a data privacy law will pass this year. Rep. Joe Barton (R-TX) said, “It’s one of the few issues in the next 10 months that the House and Senate can work with the president on … I’ll go out on a limb here and predict that we’ll actually do that.” Meanwhile, in an interview with Computerworld, the Payment Card Industry Security Standards Council's Bob Russo said the standards are solid, and the Independent Community Bankers of America said at a hearing Monday that retailers should ultimately pay for a breach when hit by one. In healthcare, a recent study revealed that breaches cost healthcare providers $1.6 billion per year.
Full Story

What the Target Incident Means for the SEC and Cybersecurity
“With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention,” write Jenner & Block’s Mary Ellen Callahan, CIPP/US, and Elaine Wolff. In this post for Privacy Perspectives, Callahan and Wolff look into the SEC’s guidance on cybersecurity, including recent comments by the agency that “underscore the need to disclose costs associated with any preventative or remedial measures that may have a material effect on a company’s results of operations, liquidity and financial condition.” The Target incident, they point out, “highlights some of the limitations in the SEC guidance.” Editor’s Note: Callahan and Wolff will speak as part of a panel discussion on the SEC and cybersecurity at the IAPP Global Privacy Summit, March 5-7, in Washington, DC.
Full Story

State AGs as Privacy Regulators—Q & A with Maryland AG Doug Gansler
In this Q&A exclusive for The Privacy Advisor, Divonne Smoyer, CIPP/US, speaks with Maryland AG Doug Gansler, who has been at the forefront of privacy protection efforts by state attorneys general. In 2013, as president of the National Association of Attorneys General, Gansler's focus was "Privacy in the Digital Age." He tells Smoyer, "State attorneys general have long been champions of consumers' privacy in the physical marketplace, where breaches of privacy are more easily contained," explaining, "if a company improperly disposes of a file with sensitive personal information a consumer shared, it may only be seen by a few people. In the Digital Age, however, the risks of sharing sensitive personal information are far greater." Editor’s Note: Smoyer, and Aaron Lancaster, CIPP/US, wrote about the role of the AG in privacy enforcement in a recent post for Privacy Perspectives.
Full Story

As DOT Pushes For Connected Cars, Senators Want Privacy Considered
While the Department of Transportation (DOT) is pushing for a mandate on connected cars before President Barack Obama leaves office, there are a number of privacy and security concerns that need to be ironed out, Politico reports. Vehicle-to-vehicle technology could eventually see driverless cars on the road that “virtually never crash,” said DOT Secretary Anthony Foxx. But the Alliance of Automobile Manufacturers’ concerns about privacy are shared by Senate Commerce Chairman Jay Rockefeller (D-WV), who applauds the potentially life-saving features of the technology but worries about driver privacy. Reps. Diana DeGette (D-CO) and Joe Barton (R-TX) have also voiced concerns about privacy. Editor’s Note: Future of Privacy Forum’s Joshua Harris wrote about the issue of privacy and connected cars in a recent post for Privacy Perspectives.
Full Story

Courts Tackle Privacy of Delivered Texts, Voicemails
Courthouse News Service reports the Oklahoma Court of Criminal Appeals has found that senders of text messages have no expectation of privacy once the text has been delivered. Judge Clancy Smith wrote for the five-judge panel, “This is similar to mailing a letter; there is no expectation of privacy once the letter is delivered. It is like leaving a voicemail message, having the recipient receive and play the message and then claiming the message is private.” Meanwhile, Law360 reports that U.S. Magistrate Judge Nathanael M. Cousins has denied a motion to dismiss a case claiming that InterContinental Hotels Group PLC illegally recorded consumers’ phone calls to its reservation hotline, saying the plaintiffs properly stated a claim under California’s Invasion of Privacy Act.
Full Story

HIPAA Rule To Allow Direct Access to Lab Data; Papers Discuss Telehealth
The Department of Health and Human Services recently released a final rule amending the Clinical Laboratory Improvement Amendments and the Health Insurance Portability and Accountability Act (HIPAA) giving patients the right to directly access their lab data, The National Law Review reports. As a result, HIPAA-covered laboratories must provide patients with such access within 30 days. Meanwhile, a new report discusses the legal and liability issues of mobile health applications, predicting increased regulatory roles for the Food and Drug Administration and the Federal Trade Commission over health apps. The Center for Democracy & Technology’s Joseph Lorenzo Hall and Deven McGraw write, “For telehealth to succeed, privacy and security risks must be addressed.”
Full Story

Judge: Pedophile Investigators Can Use Metadata
A federal judge has ruled that investigators may use metadata to track sources of inappropriate photos of children, Houston Chronicle reports. In his order, U.S. District Judge Gregg Costa wrote the metadata embedded in a photo of a four-year-old girl shared online solved the "needle-in-the-haystack problem" investigators face. The perpetrator’s attorney had argued phones retrieve GPS coordinates without notifying users, so “although the image was contraband, the legitimate expectation of privacy as to location and identity is not rendered unreasonable.” Costa disagreed, writing, "He gave up his right to privacy in that image once he uploaded it to the Internet … There is no basis for divvying up the image … into portions that are now public and portions in which he retains a privacy interest."
Full Story

CANADA

Opinion: Employee PI Decision Noteworthy
In a feature for Canadian Employment Law Today, Meghan Cowan examines a recent decision by the Office of the Alberta Information and Privacy Commissioner on the collection, use and disclosure of employees’ personal information. Cowan suggests the December decision, which stems from a complaint an employee filed under the Personal Information Protection Act (PIPA), “provides a noteworthy lesson for employers when managing sensitive employee medical information.” The information in question related to medical leave and disability benefits, the report states, meeting the definition of personal employee information under PIPA. “This decision is significant not only for delineating the consent and disclosure requirements around employee medical information in Alberta, but for privacy legislation in other Canadian jurisdictions,” Cowan writes.
Full Story

EU

Takeaways from the First Cookie Consent Fines
Last month, Spain’s Data Protection Authority (DPA) issued its first fines since its implementation of the EU “cookie consent” requirement, prompting Nuria Pastor to write for the Field Fisher Waterhouse Privacy and Information Law Blog of the messages to take away from this case. Among those takeaways, Pastor writes, “Even though cookies are part of our everyday life, European regulators perceive the use of cookies as intrusive—this is explicitly stated in the decision. As a result, time, resources and efforts will be invested to tackle their unlawful use.” She also cautions that “the grace period has long been over. If you have not already done so, it is important to get your house in order now.”
Full Story

ASIA PACIFIC

As Deadline Approaches, APPs Continue To Make Headlines
With the 13 Australian Privacy Principles (APPs) set to replace the Information Privacy Principles and National Privacy Principles in March, many articles are offering tips on what organisations should be doing to prepare. In a report for The Guardian, Paul Farrell details how the new laws will work, and in her feature for The Sydney Morning Herald, Sylvia Pennington writes that those organisations that don’t take “reasonable steps” to comply “face the prospect of a big stick as the Office of the Australian Information Commissioner will have greater powers to investigate and the ability to impose penalties of up to $1.7 million for those found to be in breach.” Pennington highlights seven tips for organisations preparing for the APPs. Meanwhile, Australasian communications firm SenateSHJ predicts privacy will be one of the top issues and trends for 2014.

Full Story

Author
Headshot Emily Leach, CIPP/E, CIPP/US IAPP Member Contributor
Tags
Education
Financial
Government
Health Care
Marketing/Retail
Africa
Asia-Pacific
Canada
Europe
U.S.
Biometrics
Data Loss
Enforcement
Internet of Things
Personal Privacy
Surveillance
Comments

If you want to comment on this post, you need to login.

Related Stories
MedData data breach lawsuit settled for $7M
The HIPAA Journal reports cycle management firm MedData agreed to pay USD7 million to settle a class-action lawsuit related to a data breach. The lawsuit involved an incident where the data of 136,000 people was exposed after an employee allegedly uploaded the information to a public-facing website....
Read More queue Save This
European Commission issues guidance on Data Act
The European Commission published an overview of the Data Act. The law raises rules on who can access and use data generated in the EU across all economic sectors while establishing the conditions upon which public sector entities can obtain request data from businesses "where there is an exceptiona...
Read More queue Save This
Related Stories
Tags
Education
Financial
Government
Health Care
Marketing/Retail
Africa
Asia-Pacific
Canada
Europe
U.S.
Biometrics
Data Loss
Enforcement
Internet of Things
Personal Privacy
Surveillance
Recent Comments