Header graphic for print

Inside Privacy

Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Privacy Weekend: Provocative Articles We’re Reading Now

Posted in Privacy Weekend

As readers of the InsidePrivacy blog know, we often save some fun reading on privacy issues for the weekend, given the crush of business during the week.  The past couple of weeks have been a challenging time for the Internet, though, and our thoughts have turned to the darker side of anonymity and privacy.  The scourge of the so-called #GamerGate movement has resulted in stunning threats of violence against women in the gaming community, causing Brianna Wu and Zoe Quinn to leave their homes after a barrage of threats, and media critic Anita Sarkeesian being forced to cancel a public presentation because of a death threat.  Civility online is under siege, and cyberthreats against women seem to be escalating.  Can anything be done?

Fortunately, Maryland law professor Danielle Citron’s new book, Hate Crimes in Cyberspace, has arrived at just the right moment.  Danielle’s work provides a thorough exposition of the problem and clear-minded thinking about potential solutions.  It’s the perfect weekend reading for those, like this writer, who feel a need to find solutions and restore hope in the potential of online discourse.  If you haven’t picked up Danielle’s book yet, there are excellent reviews of it here and here.  It is insightful and thoughtful, and a wonderful contribution to our thinking on these essential issues. Continue Reading

European Parliament Nominates New European Data Protection Supervisor

Posted in Uncategorized

On October 21, 2014, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) voted the Italian Giovanni Buttarelli as top candidate for the post of European Data Protection Supervisor (EDPS).  Mr. Buttarelli spent the last five years as Assistant Supervisor to the current  EDPS, Mr. Peter Hustinx. 

Referred to as the “privacy watchdog”, the EDPS’ main objective is ensuring that the European institutions, bodies, agencies and offices respect the privacy of citizen data.  With the European Union’s rules on personal data protection currently under review, this institution is expected to play an increasingly prominent role in European policy.

The European Parliament and the EU Council of Ministers appoint the EDPS and the Assistant Supervisor “by common accord” for a five-year term, on the basis of a candidate list proposed by the European Commission.  Following interviews of five candidates on October 20th, Mr. Buttarelli received 34 votes in the LIBE Committee, making him the top candidate for the job, and leaving behind other high-level EU privacy experts (the Committee’s shortlist of preferences can be accessed here).  The Pole Wojciech Wiewiorowski, head of the Polish Data Protection Authority, was nominated for the position of  Assistant Supervisor.  The Committee’s nominations will be voted on by the Parliament’s plenary session, and subsequently by the EU Council.

EU Confirms New Heads of the European Commission – But Who Will Drive Data Protection Reforms?

Posted in European Union, International

 By Philippe Bradley-Schmieg 

The European Parliament voted yesterday (October 22, 2014) to approve the President of the European Commission’s selections for his team of European Commissioners.

Jean-Claude Juncker’s picks received strong endorsement from MEPs, with 423 in favour, 209 against, and 67 abstentions.  Even so, he was forced to amend his proposal ahead of the vote after a few of his first picks failed to win over hostile MEPs during Parliamentary confirmation hearings.

The new Commissioners will take office on Monday, November 3rd, although questions remain over the division of authority within the new Commission with respect to privacy and data protection.

As recently previewed on this blog, Jean-Claude Juncker has set up a complex structure of overlapping portfolios, in the hope that this will, he says, lead the Commission to “work together as a strong team, cooperating across portfolios to produce integrated, well-grounded and well-explained initiatives that lead to clear results.” Continue Reading

CFPB Finalizes Rule to Allow Online Privacy Disclosures from Financial Institutions

Posted in Financial Institutions, Financial Privacy, Privacy Policies

By Ani Gevorkian

On Monday, the Consumer Financial Protection Bureau (CFPB) finalized a rule that promotes more effective privacy disclosures and saves the financial services industry around $17 million dollars.  The new rule permits financial institutions that restrict data-sharing to post their annual privacy notices online rather than delivering them to customers individually.  The rule will be effective as soon as it is published in the Federal Register. 

Under the Gramm-Leach-Bliley Act (GBLA), a financial institution generally must send annual privacy notices to customers that describe whether and how the financial institution shares their nonpublic personal information.  An institution that shares this information with unaffiliated third parties generally must notify customers of their right to opt out of the sharing and provide instructions on how to do so.

Under the new rule, a financial institution may meet GBLA requirements by posting privacy notices online instead of distributing an annual paper copy, as long as the institution adheres to certain requirements.  For instance, the institution may not share data in ways that trigger customers’ opt-out rights.  They must also continue to send notices through existing delivery methods if the policies’ terms change or if a customer with limited internet access requests by phone to receive a notice. Continue Reading

Senators Request Hearing on Connected Devices

Posted in Congress, United States

On October 20, 2014, a bipartisan group of senators sent a letter to U.S. Senate Committee on Commerce, Science, & Transportation Chairman John D. Rockefeller IV (D-W.Va.) and Ranking Member John Thune (R-S.D.), requesting that the Committee schedule a “general oversight and information-gathering hearing” on digitally connected technologies before the end of 2014.

The letter, penned by Sens. Kelly Ayotte (R-N.H.), Cory A. Booker (D-N.J.), Deb Fischer (R-Neb.), and Brian Schatz (D-Hi), stated that the connected devices industry is expected to generate global revenues of $8.9 trillion by 2020, and that its importance would soon be felt by millions of Americans with the “proliferation of connected products” and “the upcoming holiday season.” The industry, however, raises a number of important policy questions in the areas of “consumer protection, security, privacy, technical standards, spectrum capacity, manufacturing, regulatory certainty, and public-sector applications,” the letter said. Continue Reading

ICO Releases Concrete Guidance on Privacy Requirements When Recording Video with Drones

Posted in International, United Kingdom

On October 15, 2014, the UK Information Commissioner’s Office (ICO) published an updated code of practice for surveillance cameras.  Among other topics, the ICO uses the Code to begin to address privacy practices for drones. 

Drones are not new, but two factors are now making questions about drones and privacy practices more pressing.  First, many drones now include high quality cameras, sourced originally from smart phone technologies, which increases their potential impact on individual privacy.  Second, the price of drones has fallen dramatically in recent years — making them increasingly ubiquitous and available for both businesses and consumers.  Policymakers in the United Kingdom and in the European Union are currently gathering information and conducting impact assessments to determine whether new legislative rules are needed to deal with the privacy challenges posed by drones, or whether existing data protection rules are sufficient. 

The ICO guidance note makes clear that standard data protection rules (and rules governing the use of CCTV cameras) will, in the meantime, apply to the use of drones.  It explains that — as with organizations and individuals handling data more generally — drone users should be separated out into professional and commercial users, on the one hand, and hobbyists, on the other.  Hobbyists, using drones for purely domestic purposes, are unlikely to be covered by data protection rules — but use of drones for non-domestic purposes will be governed by data protection requirements. Continue Reading

President Obama Signs Executive Order Aimed at Protecting the Security of Consumer Financial Transactions

Posted in Cybersecurity, Data Security

By Ashden Fein and Randall Friedland

On Friday, President Obama signed an Executive Order directed at securing consumer transactions and sensitive data, improving consumer identify theft remediation, and better securing personal information on federally run websites.  Among the security measures, the President ordered all federal government-issued credit cards be equipped, as soon as possible, with chip-and-PIN technology.  The chip-and-PIN technology, commonly used in Europe, makes stealing credit card numbers more difficult.  Chips are embedded in the credit cards and generate a unique code for every transaction requiring a user PIN (similar to a debit card)—adding another layer of security.  Further, the Executive Order requires all retail payment card terminals at federal agencies to be able to accept the chip-and-PIN technology by January 1, 2015.

Continue Reading

FDA Releases Final Guidance on Cybersecurity in Medical Devices, Public Workshop to Follow on October 21-22, 2014

Posted in Cybersecurity, Data Security, United States

On October 2, 2014, the Food and Drug Administration (FDA) released a final guidance document titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices”.  The FDA said that the “need for effective cybersecurity to assure medical device functionality and safety has become more important with the increasing use of wireless, Internet- and network- connected devices, and the frequent electronic exchange of medical device-related health information.”  The FDA defines cybersecurity as “the process of preventing unauthorized access, modification, misuse or denial of use, or the unauthorized use of information that is stored, accessed, or transferred from a medical device to an external recipient.”  The cybersecurity of medical devices gained media attention last year when former Vice President Dick Cheney revealed that his doctor had the wireless function of Cheney’s implanted defibrillator replaced due to fears that a terrorist could hack the device and assassinate the Vice President. 

The guidance document identifies cybersecurity issues that manufacturers should consider when designing and developing their medical devices and information they should include when preparing their FDA medical device premarket submissions.

Continue Reading

Data Protection Officials Adopt Internet of Things Declaration and Big Data Resolution

Posted in International

At the International Conference of Data Protection and Privacy Commissioners in Mauritius this week, representatives of the private sector and academia joined together to discuss the positive changes and attendant risks that the internet of things and big data may bring to daily life. Attendees memorialized the observations and conclusions of their discussions in a Declaration on the Internet of Things and a Resolution on Big Data. The documents are not, of course, binding. But, the fact that the Declaration and Resolution drew the consensus of a large gathering of international data protection regulators renders them relevant indicators of direction of data privacy policies and trends. Continue Reading

New Jersey Legislature Considers Additional Protections for Car “Black Box” Data

Posted in Data Security

By Caleb Skeath

You’ve added a passcode to your phone, checked your social network privacy settings (twice), and kept close tabs on the cookies in your web browser. But have you ever thought closely about the information your car collects about you?

New Jersey legislators are debating two identical bills that would provide additional safeguards against the disclosure of data contained in a car’s “black box,” which track a vehicle’s technical status and operational performance. These devices, often referred to as event data recorders or EDRs, are present on 90% of all cars and light trucks in the U.S. and may soon become mandatory on all new vehicles. In addition to assisting mechanics with car repairs, EDRs can assist law enforcement and insurance companies in crash investigations.

Continue Reading