The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


2 Comments

Fallout for Google from the Street View Data Collection

The number of Google searches on Google must have dramatically increased in the past few weeks as a result of Google’s announcement that its Street View cars had collected “payload data.”  Google’s aptly-named Street View cars take photographs to create a street map with eye-level photographs.  While driving the streets of numerous countries, the cars were collecting information about the name and location of wireless networks to improve applications that provide location information, such as GPS functionality on smartphones. 

 

This new information revealed that Google had collected, not just the name and location of wireless networks, but also information sent over unsecured wireless networks, which is called payload data.  Google has said that the collection of payload data was unintentional and the result of software code mistakenly included in the Street View cars program.  Google also noted that, because the cars are on the move and the software that the cars use rapidly changes channels, the chance that Google captured data containing anything fragments of data is unlikely. 

 

Continue reading


Leave a comment

Supreme Court Addresses Privacy of Personal Text Messages on Pager Supplied by Employer

The Supreme Court recently addressed the challenges created by workplace privacy for public employees in the electronic era.  The Court’s decision in City of Ontario v. Quon sidestepped the critical question of whether a government employee has a reasonable expectation of privacy in text messages transmitted on an employer-issued pager, leaving the proper test for a Fourth Amendment violation in this context unsettled.  But every member of the Court easily agreed that even assuming that a public employee has a reasonable expectation of privacy in such text messages, the City’s search in this instance did not violate the Fourth Amendment.

Continue reading


Leave a comment

Amendments to Alberta’s Information Protection Law Take Effect

            Amendments to the Personal Information Protection Act (PIPA) of the Canadian province of Alberta took effect on May 1, 2010.  Two of the changes are particularly noteworthy.  First, like several states in the United States, Alberta now requires notification of data breaches.  Second, new notice requirements might impact use of service providers outside Canada.

 

            (1)        An organization that has personal information under its control must provide to the Alberta Information and Privacy Commissioner without unreasonable delay notice of any incident involving loss of, unauthorized access to, or disclosure of, personal information.  Notice is required where “a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss of or unauthorized access or disclosure.”  If the Commissioner determines that the data breach poses a real risk of significant harm to individuals, the organization may be required to notify those individuals.

 

            (2)        An organization that uses a service provider outside Canada to collect personal information about an individual, or that transfers to a service provider outside Canada personal information about an individual, must notify the individual of the way in which the individual can obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada.  Notification may be given in writing or orally, but it must be given before or at the time the personal information is collected, whenever consent for collection is required.

 

            The changes make Alberta the first Canadian province to mandate notification of data breaches generally.  Many Canadian legal commentators expect other Canadian jurisdictions to follow suit shortly.

 

            Canada does have an omnibus information protection law, the Personal Information Protection and Electronic Documents Act (PIPEDA).  Any organization that collects personal information in the course of commercial activity is covered by PIPEDA, except in provinces that have “substantially similar” information protection laws.  Alberta’s PIPA has been declared to be substantially similar to PIPEDA.

 

            Recently proposed amendments to PIPEDA would, if enacted, require an organization to report to the Canadian Privacy Commissioner any material breach of security safeguards involving personal information under its control.  Similar to Alberta’s PIPA, the amendments would also require an organization to notify an individual of any breach of security safeguards involving such individual’s personal information if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.

 

Continue reading


Leave a comment

Elena Kagan On Corporate “Personal Privacy” Under the Freedom of Information Act

With Elena Kagan’s confirmation hearings scheduled to begin in late June, her recent response as Solicitor General to a Third Circuit decision could provide some insight into her position on privacy matters.  Two weeks before President Obama announced her nomination to the Supreme Court, Solicitor General Kagan filed a petition for certiorari with asking the Supreme Court to overturn a Third Circuit decision that gave a corporation “personal privacy” rights under the Freedom Of Information Act.  See Petition For a Writ of Certiorari, No. 09-1279 (U.S. April 22, 2010), AT&T Inc. v. Fed. Commc’ns Comm’n, 582 F.3d. 490 (3rd Cir. 2009).

Continue reading


Leave a comment

FTC Red Flags Rule Enforcement Delayed Again (and New Legal Challenge)

The FTC announced today that it is delaying enforcement of its FACTA Red Flags Rule yet again, this time through December 31, 2010. This is the fifth time the FTC has delayed enforcement of its beleaguered red flag rule, which it originally had planned to enforce beginning November 1, 2008. This latest delay, just like the previous one, comes at the request of members of Congress who plan to amend the FACTA red flag provisions to narrow the scope of the entities that are covered. On May 25, 2010, members of Congress introduced S. 3416, which would exclude health care, accounting and law practices with fewer than 20 employees as well as certain other small businesses. 

 

Continue reading