Peter A Clarke

The UK Information Commissioner has published a review of the impact of the Civil Monetary Penalties.

Under the Data Protection Act 1984 the ICO can issue Civil Monetary Penalties (CMPs) to the maximum of £500,000 for serious breaches of the Data Protection Act (the DPA) and serious breaches of the Privacy and Electronic Communications Regulations (PECR). The criteria for serving a CMP  under section 55  A(1) of the DPA are:

1.  there has been a serious contravention of a data protection principle and
2.  “the contravention was of a kind likely to cause substantial damage or substantial distress” and
3.  the data controller:

(a) knew or ought to have known—

(i)                  that there was a risk that the contravention would occur ,and

(ii)                 that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but

 (b) failed to take reasonable steps to prevent the contravention”.

The listed key findings are:

• The research findings indicate that  CMPs are effective at improving data protection compliance.This was particularly clear for organisations that had been issued with a CMP; the research showed a clear impact on how those organisations managed their data protection responsibilities:
  • Organisations took their data protection obligations seriously, with revised practices and policies, and increased staff training.
  • Data protection was given a higher profile, with greater senior management buy-in.
  • Staff awareness was raised through targeted campaigns,with their importance of handling data properly made more prominent.

Read the rest of this entry »

Max Mosley has commenced action in the High Court of Justice, Queens Bench Division in Mosley v. Google Inc & Anr, HQ14X02964.  The relief he is apparently seeking is to compel Google to stop gathering and publishing the images on the basis that Google breached rules on the use of private information, a claim in equity, and data protection, presumably grounded in statute. This has the potential to expand the operation of misuse of private information claims in the UK.  Mosley has been successful in his action against Google in France (see here also) however privacy protection in civil code jurisdictions, in particular France, is greater and the principles to be applied are not analogous.

The coverage is quite significant, not surprising given Mosley’s history of privacy litigation and the nature of the images he wants to remove.  It is covered by Bloomberg here, the Guardian here and Bayou Buzz (for that Louisiana focus) here.

The Sydney Morning Herald covered the story in  Ex-formula one boss Max Mosley sues Google over sex party images which provides:

London: Max Mosley, the former formula one chief, is suing Google for continuing to publish images of him at a sex party.

Mr Mosley, whose father Sir Oswald Mosley was the wartime British fascist leader, won £60,000 damages from the now-defunct Murdoch-owned News of the World tabloid in 2008 after an earlier High Court action. Read the rest of this entry »

Pro publica has run a number of very important stories on internet privacy, in particular regarding on line tracking such as Why Online Tracking Is Getting Creepier, and It’s Complicated: Facebook’s History of Tracking You and Privacy Tools: How to Block Online Tracking.

Pro publica’s story Meet the Online Tracking Device That is Virtually Impossible to Block has caused something of a stir given the concerns about tracking tools.  As the article notes it has prompted at least one site to remove the program.

It provides:

Update: After this article was published, YouPorn contacted us to say it had removed AddThis technology from its website, saying that the website was “completely unaware that AddThis contained a tracking software that had the potential to jeopardize the privacy of our users.” A spokeswoman for the German digital marketer Ligatus also said that is no longer running its test of canvas fingerprinting, and that it has no plans to use it in the future.

…….

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

First documented in a forthcoming paper by researchers at Princeton University and KU Leuven University in Belgium, this type of tracking, called canvas fingerprinting, works by instructing the visitor’s Web browser to draw a hidden image. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it. Read the rest of this entry »

The ABC program Future Tense had a program titled 1984 and our modern surveillance society, which deals with privacy issues and surveillance.  It can be heard here – excerpt-how-far-from-1984

As an overview it is quite effective.

It provides:

Mass surveillance is now a part of our social, economic and political lives—governments and companies snoop on us like never before. But are we really heading toward an Orwellian future? Antony Funnell investigates.

 When George Orwell finished work on 1984 he was already a man without a future. Fading rapidly from tuberculosis, his most celebrated novel was to be his last.

He died shortly after its publication.

Yet more than half a century later, his dystopian vision of the future is alive and in rude good health. Read the rest of this entry »

“Facebook” and “privacy” are not too often found in the same sentence without a “trashes” or an “ignores” or the catch all “not”.  The Federal Trade Commission has entered into (the polite way for saying forced) an enforceable undertakings with Facebook.

Things may be changing at Fortress Facebook however.

In Facebook’s Privacy Pivot Slate reports on a possible change in attitude as well as practical action with developments which point to a more proactive and real privacy framework.  Of course the proof is always in the, private, pudding.  For most privacy practitioners Facebook will be on double secret probation for the long term. The concern is Read the rest of this entry »

The Office of the Australian Information Commissioner has published its most recent statistics relating to the last quarter.  They are found here.  The media release is found here.

Regarding privacy related work the OAIC made the following comments:

• Phone enquiries: handled 16,486 phone enquiries (18,238 in 2012–13) — a 9% increase in privacy phone enquiries, which are 71% of the total
• Written enquiries: answered 3742 written enquiries (3165 in 2012–13) — a 26% increase in privacy written enquiries, which are 64% of the total
• Privacy complaints: received 4243 complaints (184% increase), and completed 2616 (74% increase). The average closure rate was 7.2 privacy complaints per day (90% increase), and the average completion time was 86.7 days (44% decrease)
• Privacy audits: conducted 8 audits (60% increase)
• Data breach notifications (DBNs): handled 73 DBNs (55% increase)
• Privacy investigations: conducted 13 Commissioner-initiated investigations (32% decrease), and published 4 reports
• Advice, guidance and submissions: published 20 guideline items, conducted 22 consultations, provided 133 written policy advices, and made 17 submissions
• Website visits: received 1.51 million website visits (10% increase)

Read the rest of this entry »

The Conversation usually publishes insightful and well written pieces on subjects of public policy, law, science or the humanities (to name but a few topics covered).  Sometimes its offerings are not so good.  Like with Your life in their hands – privacy and your mobile device.  Something of a curate’s egg – good in parts.

It provides:

The explosive uptake of mobile devices including smartphones and tablets has us immersed in a complex, volatile soup of hyper-connected digital technologies, where not only is the perception of time being compressed, but privacy protections are being reshaped. Read the rest of this entry »

Ransomware is a particularly nasty tool in the hackers bag of tricks.  Once security has been breached the hackers use Onion ransomware to encrypt files on a device attached to a network and then demands a ransom.  And it is on the way according to The Australian’s Onion ransomware could take root here.  The usual route into a network is through a phishing attack.  Hence all the more reason for staff to receive proper privacy training and to develop proper programs and protocols in handling email communications and oral enquiries.  In my experience it remains hand slapped to forehead depressing how inadequate training in basic privacy protocols are and when businesses actually do some privacy training it is done as a one off event.  No repeat for, say, new staff or refreshers to deal with new systems.  And then businesses wonder how there is a breach a month or year down the track.  The Privacy Commissioner’s guidelines on data security makes it clear that Read the rest of this entry »

It is a core feature of most privacy and data legislation that organisations and governments should only retain personal information for the period required and for the purpose for which the information was collected.  It is common in cases of data breaches to find organisations who have had poor data security to also have hopeless data management practices; keeping records long after they have no utility, keeping old customer information and generally storing data in one place so as to make a hackers job much easier than would otherwise be the case.  In the UK Read the rest of this entry »

Itnews reports in Popular Android apps inherit bugs from recycled code that at least half of the 50 most popular Android apps have security problems.  That is hardly a surprise. Privacy regulators around the world have focused on deficiencies in app development.  Apps are notorious for poor privacy practices ranging from the software through to totally inadequate privacy policies.  Most privacy regulators have released guidances on apps, most recently being the New Zealand Privacy Commissioner with Need to Know or Nice to have which was released earlier in July.  In the Australian context the problem is that many app developers are small businesses as defined in the Privacy Act and are often not covered by its operations.
Read the rest of this entry »