Cloud
Subscribe to Cloud's Posts

GPEN Publishes Privacy Sweep Results

On 10 September 2014, the Global Privacy Enforcement Network (GPEN) published the results of its privacy enforcement survey or “sweep” carried out earlier in 2014 with respect to popular mobile apps.  The results of the sweep are likely to lead to future initiatives by data protection authorities to protect personal information submitted to mobile apps.

The purpose of the sweep was to determine the transparency of the privacy practices of some 1,211 mobile apps and involved the participation of 26 data protection authorities across the globe.  The results of the sweep suggest that a high proportion of the apps downloaded did not sufficiently explain how consumers’ personal information would be collected and used.

Background

GPEN was established in 2010 on the recommendation of the Organisation for Economic Co-operation and Development.  GPEN aims to create cooperation between data protection regulators and authorities throughout the world in order to strengthen personal privacy globally.  GPEN is currently made up of 51 data protection authorities across some 39 jurisdictions.

Over the course of a week in May 2014, GPEN’s “sweepers” – made up of 26 data protection authorities across 19 jurisdictions, including the UK Information Commissioner’s Office (ICO) – participated in the survey by downloading and briefly interacting with the most popular apps released by developers in their respective jurisdictions, in an attempt to recreate a typical consumer’s experience.  In particular GPEN intended the sweep to increase public and commercial awareness of data protection rights and responsibilities as well as identify specific high-level issues which may become the focus of future enforcement actions and initiatives.

Sweep Results

The key negative findings of GPEN sweep include:

  • 85 percent of apps failed to clearly explain how personal information would be processed.
  • 59 percent of apps did not clearly indicate basic privacy information (with 11 percent failing to include any privacy information whatsoever).
  • 31 percent of apps were excessive in their permission requests to access personal information.
  • 43 percent of the apps had not sufficiently tailored their privacy communications for the mobile app platform – often instead relying on full version privacy policies found on websites.

However, the sweep results also highlighted a number of examples of best practices for app developers, including:

  • Many apps provided clear, easy-to-read and concise explanations about exactly what information would be collected, how and when it would be used and, in some instances, explained specifically and clearly what would not be done with the information collected.
  • Some apps provided links to the privacy policies of their advertising partners and opt-out elections in respect of analytic devices.
  • There were good examples of privacy policies specifically tailored to the app platform, successfully making use of just-in-time notifications (warning users when personal information was about to be collected or used), pop-ups and layered information, allowing for consumers to obtain more detailed information if required.

Many of the GPEN members are expected to take further action following the sweep results.  For its part, the UK ICO has commented that in light [...]

Continue Reading




Processing Personal Data in Russia? Consider These Changes to Russian Law and How They May Impact Your Business

Changes Impacting Businesses that Process Personal Data in Russia

On July 21, 2014, a new law Federal Law № 242-FZ was adopted in Russia (Database Law) introducing amendments to the existing Federal Law “On personal data” and to the existing Federal Law “On information, information technologies and protection of information.”  The new Database Law requires companies to store and process personal data of Russian nationals in databases located in Russia.  At a minimum, the practical effect of this new Database Law is that companies operating in Russia that collect, receive, store or transmit (“process”) personal data of natural persons in Russia will be required to place servers in Russia if they plan to continue doing business in that market.  This would include, for example, retailers, restaurants, cloud service providers, social networks and those companies operating in the transportation, banking and health care spheres.  Importantly, while Database Law is not scheduled to come into force until September 1, 2016, a new bill was just introduced on September 1, 2014 to move up that date to January 1, 2015.  The transition period is designed to give companies time to adjust to the new Database Law and decide whether to build up local infrastructure in Russia, find a partner having such infrastructure in Russia, or cease processing information of Russian nationals.  If the bill filed on September 1 becomes law, however, that transition period will be substantially shortened and businesses operating in Russia will need to act fast to comply by January 1.

Some mass media in Russia have interpreted provisions of the Database Law as banning the processing of Russian nationals’ personal data abroad.  However, this is not written explicitly into the law and until such opinion is confirmed by the competent Russian authorities, this will continue to be an open question.  There is hope that the lawmakers’ intent was to give a much needed boost to the Russian IT and telecom industry, rather than to prohibit the processing of personal data abroad.  If this hope is confirmed, then so long as companies operating in Russia ensure that they process personal data of Russian nationals in databases physically located in Russia, they also should be able to process this information abroad, subject to compliance with cross-border transfer requirements.  

The other novelty of this new Database Law is that it grants the Russian data protection authority (DPA) the power to block access to information resources that are processing information in breach of Russian laws.  Importantly, the Database Law provides that the blocking authority applies irrespective of the location of the offending company or whether they are registered in Russia.  However, the DPA can initiate the procedure to block access only if there is a respective court judgment.  Based on the court judgment the DPA then will be able to require a hosting provider to undertake steps to eliminate the infringements.  For example, the hosting provider must inform the owner of the information resource that it must eliminate the infringement, or the hosting [...]

Continue Reading




Incorporating Risk Analysis Into Your HIPAA Strategy

In building a stout privacy and security compliance program that would stand up well to federal HIPAA audits, proactive healthcare organizations are generally rewarded when it comes to data breach avoidance and remediation. But an important piece of that equation is performing consistent risk analyses.

McDermott partner, Edward Zacharias, was interviewed by HealthITSecurity to discuss these topics and more.

Read the full interview.




The New Normal: Big Data Comes of Age

On May 1, 2014, the White House released two reports addressing the public policy implications of the proliferation of big data. Rather than trying to slow the accumulation of data or place barriers on its use in analytic endeavors, the reports assert that big data is the “new normal” and encourages the development of policy initiatives and legal frameworks that foster innovation, promote the exchange of information and support public policy goals, while at the same time limiting harm to individuals and society. This Special Report provides an overview of the two reports, puts into context their conclusions and recommendations, and extracts key takeaways for businesses grappling with understanding what these reports—and this “new normal”—mean for them.

Read the full article.




In with the New: 2014 Privacy, Advertising and Digital Media Predictions

Data privacy and security made the headlines practically daily in 2013.  Our second annual Privacy and Data Protection 2013 Year in Review topped 65 pages!

What privacy, advertising and digital media trends will make headlines in 2014? Here are predictions from Of Digital Interest’s U.S. editorial team:

User Tracking Law Enforcement in California: “Amendments to the California Online Privacy Protection Act (CalOPPA) took effect on January 1, 2014 that require every website that is available to California residents to disclose how it responds to Do Not Track signals from web browsers and what third party data collection is occurring on the website.  I predict that we will see enforcement activity from the California Attorney General about whether website owners/operators have made disclosures to consumers that not only meet the new CalOPPA requirements but also accurately reflect tracking activities by the website and by third parties.”  – Heather Egan Sussman, Partner

No Kid-ding:  “January 1 marked the six-month anniversary of the effective date of the amended “COPPA Rule,” which requires businesses to have parental consent before personal information is collected from kids under age 13.  Having just approved a parental consent method (in December), I predict that the Federal Trade Commission (FTC) will initiate COPPA enforcement actions related to social media (now that photos and videos are personal information under COPPA) and in mobile apps (now that COPPA covers geo-location data).  Perhaps the FTC will start by investigating the app developers to which the FTC sent letters explaining their new COPPA compliance responsibilities last May.”  – Julia Jacobson, Partner

Safe Harbor Will Stay Safe:  “Last year’s government surveillance accusations made the U.S. Safe Harbor Program a flash point for debate between EU and U.S. data protection regulators.  Nevertheless, very few on either side of the Atlantic believe that companies properly certified under the Safe Harbor Program should disrupt data transfers necessary to meet credible business objectives.   I predict that the rhetoric will continue, but so will the U.S. Safe Harbor Program, albeit perhaps tweaked in response to the European Commission’s recently-issued recommendations to improve the Progam’s effectiveness.   More debate to come in 2014, but, meanwhile, many U.S. companies will continue to view Safe Harbor certification as their preferred approach to E.U. data protection compliance and will continue to implement data protection policies and programs intended to comply with the Safe Harbor Principles.”  – Ann Killilea, Counsel

Cloudy Forecast:  “The year of 2014 is quickly becoming the year of the mega-sized data breach, with the Target and Neiman Marcus incidents leading the way.  Corporate customers have long been aware that cloud offerings present data security concerns, but may not have been as laser-focused on the data breach aspects as they should.  I predict that in 2014, as the cloud service market becomes a commercial fact of life, data breach concerns will dominate how customers select and contract with their cloud service providers, and how they implement their incident response plans by including cloud service providers in their preparations.”  – [...]

Continue Reading




Privacy and Data Protection: 2013 Year in Review

Privacy and data protection continue to be an exploding area of focus for regulators in the United States and beyond. This report gives in-house counsel and others responsible for privacy and data protection an overview of some of the major developments in this area in 2013 around the globe, as well as a prediction of what is to come in 2014.

Read the full report here.




STAY CONNECTED

TOPICS

ARCHIVES