On October 17, the Spanish data protection authority published the Guide to Privacy by Design. While Privacy by Design first became a legal requirement in the EU with implementation of the General Data Protection Regulation, it is a well-known concept among privacy professionals that dates back to the 1990s. PbD should be construed as “the need to consider privacy and the principles of data protection from the inception of any type of processing.” It is a concept focused on risk management and accountability that aims to incorporate privacy protections throughout the life cycle of systems, services, products, and processes. It involves the application of measures for privacy protection among all business processes and practices associated to personal data.
The fourth annual Global Privacy Enforcement Network sweep, which focused on Internet of Things devices, found that privacy communications in relation to such devices were generally poor and companies demonstrating good practice were in the minority. Here, we summarize and explore the key findings of the fourth annual GPEN sweep .
One of the most common devices in the emerging Internet of Things (IoT) was reportedly discovered to have a bug. According to the research firm Fortinet, a popular fitness tracker was vulnerable to wireless attacks through its unsecured Bluetooth port. A savvy attacker could install malware wirelessly within ten seconds—simply by coming within a few feet of the tracker. When the device’s owner returned home to sync daily activity with a computer, the malware could, in principle, infect the computer as well.
The UK and Canadian data protection regulators have written to webcam manufacturers to highlight concerns about the safety of internet-connected devices and to enlist their assistance in reducing the risks posed by their products. In particular, the regulators call for manufacturers to roll out privacy-friendly default settings, implement “privacy by design” – whereby data protection and privacy considerations are built into the design and manufacturing process – and provide increased guidance to consumers about ensuring the security of devices.
Privacy law compliance means not only ensuring that compliance gaps are identified and remediated, but also that there is a privacy management infrastructure to ensure that privacy issues are handled on an ongoing basis. Attending to the infrastructure task can be challenging.
To aid in this effort, on April 17th Canada’s privacy commissioner, along with the privacy commissioners of the provinces of Alberta and British, issued a guidance document entitled “Getting Accountability Right with a Privacy Management Program,” along with an “At a Glance” two-page summary. These materials are summarized in this entry.
We are pleased to provide an English language translation of Paris Office Partner Winston Maxwell’s article examining the European Commission’s proposed regulation on data protection, focusing on the Commission’s choice of a regulation as opposed to a directive, and the new obligations that will be imposed on companies, including the accountability principle, privacy by design and the obligation to conduct privacy impact assessments (PIA) for certain kinds of processing. The article describes the proposed changes to the rules on applicable law, which are designed to bring certain non-European websites within the scope of European privacy rules, the proposed “right to be forgotten” and right to data portability.
On January 10, Peter Hustinx, the European Data Protection Supervisor, released his annual “Inventory” of issues of strategic importance for 2012, indicating that he would be focusing on, among other issues, the proposed EU data protection framework, IP rights versus privacy rights, cloud computing, and financial sector reform.
This blog entry describes and links to articles from today’s Wall Street Journal and New York Times concerning the proliferation of appps (at the expense of software manufacturers) and the issue of app privacy, and how industry is addressing it. Hogan Lovells’ Chris Wolf is quoted in the Times article on how app developers should invest in creating privacy policies as a fundamental requirement, and a free webinar on app privacy hosted by the Mobile Marketing Association in conjunction with the Future of Privacy Forum is described, with a registration link.
In a recent article Christopher Wolf looks back at the e-G8 conference and pleads for better transatlantic cooperation on privacy matters, explaining the tension between U.S. First Amendment traditions, and certain European proposals including the right to be forgotten.
After a year of hearings, including meetings in Washington with the FTC and DOJ, a French parliamentary commission released its findings on the protection of individual rights in the digital revolution. The 384-page report from the French National Assembly contains recommendations on cloud-computing, privacy by design, and EU privacy law reform.
Europe’s group of data protection authorities, the Article 29 Working Party, issued an opinion on smart meters, which goes into surprising detail on points such as the size of the display for the user interface, the need for a ‘push button’ consent module for consumers, the need to keep load graph data stored locally whenever possible. The Art 29 WP stresses the need for energy suppliers and third party energy service companies to develop detailed data retention policies to ensure smart meter data are deleted as soon as no longer needed.
On December 13, 2010 a Federal District Court in Montana dismissed many of the claims brought against an ISP in connection with the ISP’s use of NebuAd monitoring technology. The court held that users had validly consented to the monitoring technology. The NebuAd case usefully focuses on the issue of user consent, rather than on technological distinctions between ISPs and service providers at the edge.
A presentation by Hogan Lovells privacy partners compares European Commission “EG2” privacy recommendations for smart grids with the comparable recommendations of the NIST. We explain the concept of “privacy by design” in the smart grid environment and the use of detailed privacy use cases to mitigate system risks. The presentation compares the U.S. concept of “PII” with the European concept of “personal data” and discusses the risks associated with transferring household electricity data to third parties, as is mandated by California and Italian law.
On July 19, Rep. Bobby Rush (D-Ill.), chairman of the House Energy and Commerce Subcommittee on Commerce, Trade, and Consumer Protection, introduced a privacy bill that would codify certain fair information principles into law for certain “covered entities” that collect, maintain, use, and transfer to third parties any “covered information” (consisting of personally identifiable information as well as any “unique identifier,” including IP addresses).
The Federal Communications Commission released a Public Notice this week seeking further comment on numerous privacy issues as part of its National Broadband Plan proceeding. Based on questions raised in a recent Center for Democracy & Technology filing, some of the broad issues that the Notice seeks comment on include: Consumer expectations of privacy, and how to […]
The Article 29 working party of European data protection authorities published a roadmap listing areas of future reform of privacy legislation in the EU. “Privacy by design,” increased accountability and a reduction in administrative filing obligations are among the WP29’s proposals.