Dec 192014

Hogan Lovells writes:

On 17 December, the State Duma (the lower chamber of the Russian Parliament) passed legislation that would change the effective date of Russia’s new law requiring the local storage in Russia of the personal data of Russian citizens (Data Localization Law) from 1 September 2016 to 1 September 2015. The legislation currently is subject to the Federation Council’s (the upper chamber of the Russian Parliament) and president’s approvals. 

Read more on Hogan Lovells Chronicle of Data Protection.

Dec 192014

Inforrm reports:

A Statement in Open Court [pdf] was read in today in the High Court before Mr Justice Dingemans in the privacy case of Jean Bernard Fernandez-Versini v. Bauer Consumer Media Limited. Heat magazine apologised and agreed to pay damages and costs.

The judge was told that Jean Bernard Fernandez-Versini, the husband of the X-Factor judge formerly known as Cheryl Cole, had accepted damages for the invasion of his privacy and for breach of the Data Protection Act 1998 in relation to a claim brought against the publishers of “Heat” magazine.

The Court heard that in August 2014, heat’s cover story referred to the Claimant and his wife and there was then a four page article containing speculation and inaccuracies and which “amounted to an unjustified intrusion into his private and family life”.

Read more on Inforrm.

Dec 192014

Because of HIPAA constraints, I can’t provide a lot of details, but when a teenaged patient was in my office with a parent, the teen complained that the parent had required the teen to download an app that enabled the parent to track the teen.

“What do you think about parents tracking teens that way?” my patient asked me in front of the parent.

“I think it’s an invasion of privacy,” I immediately answered.

The teen’s parent was very unhappy with that answer, but I stand by it. If you can’t trust your teen to tell you the truth about where they’re going, then you have a problem that a tracking app will not solve.

And if your justification is that you’re worried about their safety, then is your anxiety their problem or your problem? I’ve often heard parents say, “Well, I wouldn’t let them go out if I didn’t have the peace of mind from knowing that I can tell where they are.” So wait: you would keep your teen a prisoner in their home because you’re worried? Seriously? Unless your teen poses a threat to themselves or others, do you really want to convey that you don’t trust them? Even though they’ll be moving out or going off to college in a year or two? Will they suddenly become responsible then? Will the world suddenly become a safer place?

What are you teaching them now?

There are alternative ways to communicate with your teen and to develop trust. Start when they’re young and build a relationship with them whereby they know they need to call you and let you know where they will be – and that they need to be there or call you in advance if they are about to change their plans/location. My kids learned early on to be responsible about letting me know where they’d be, and in turn, I almost never told them that they couldn’t go somewhere.  I got peace of mind from our arrangement. What they got was a sense of responsibility and the absence of guilt most of their friends who lied to their parents had.

It really isn’t that difficult, folks. Don’t rely on privacy-invasive technology as a substitute for good communication and parent/child relationships.

Dec 192014

Orin Kerr writes:

Regular readers will recall the mosaic theory of the Fourth Amendmentintroduced by the DC Circuit in United States v. Maynard, by which law enforcement steps that aren’t searches in isolation can become searches when aggregated over time. For the most part, judges have been pretty skeptical of the mosaic theory. For example, in the recent oral argument in the Fourth Circuit in United States v. Graham, on whether the Fourth Amendment protects historical cell-site data, the mosaic arguments didn’t gain a lot of traction for the defense.

In this post, however, I want to focus on two recent federal district court decisions that cut against this trend and adopted the mosaic theory.

Read more on WaPo Volokh Conspiracy.

Dec 192014

From EPIC.org:

Beginning in 2015, many federal facilities will require a “Real ID” for entry where identification is required. Several states have opted out of the Real ID Act, a federal mandate to modify the design of state drivers licenses, raising questions about the ability of people in those states to access federal buildings and board commercial aircraft. EPIC, supported by a broad coalition, opposed the Real ID regulations, arguing that many of the required identification techniques, such as facial recognition and RFID tags, compromise privacy and enable surveillance. EPIC, joined by technical experts and legal scholars, also provided detailed comments to the Department of Homeland Security about the program and later issued a L6[report: “REAL ID Implementation Review: Few Benefits, Staggering Costs” (May 2008). For more information see: EPIC: National ID and the Real ID Act.

Dec 192014

A council that ordered covert surveillance on a sick employee must review its approach after an Information Commissioner’s Office (ICO) investigation.

The ICO found the Council breached the Data Protection Act when it ordered the surveillance of an employee suspected of fraudulently claiming to be sick.

From the undertaking, this summary of what happened:

The Information Commissioner (the ‘Commissioner’) received a data breach notification on 28 November 2013 relating to covert surveillance which had been undertaken on an employee suspected of defrauding the data controller in breach of the sickness absence policy.

The Commissioner accepts that the use of covert surveillance to monitor employee behaviour can be justified in some circumstances. However, as set out in s.3.4.1 of the Commissioner’s Employment Code of Practice, in order to justify such action the employer must be satisfied that there are grounds for suspecting criminal activity or equivalent malpractice, and that notifying individuals about the monitoring would prejudice its prevention or detection. Abuses of an organisation’s sickness policies can amount to such malpractice, but covert surveillance should only be used in exceptional circumstances as a last resort when alternatives which respect the employee’s privacy have been considered and are not viable/ appropriate.

On the specific facts of this case the Commissioner does not consider that the data controller had sufficient evidence to warrant the authorisation of covert surveillance on an employee. In this case the employee had only been off work with a sick note for anxiety and stress for four weeks at the time the surveillance was authorised. The surveillance was authorised on the basis that the employee had told a few people that she felt housebound and the data controller believed the employee would use the absence to avoid attending meetings she was required to attend at work.

However there was no medical indication that the employee was housebound and no other measures were taken to discuss the employee’s sickness absence and potential attendance at meetings before resorting to covert surveillance at such an early stage. The data controller has accepted that there had been no evidence to suggest that the employee would use the sickness policy as a basis for not attending the meetings she was required to attend. In fact the employee attended a meeting which took place shortly after the surveillance had been carried out without being aware that the surveillance had been conducted.

The data controller has also confirmed that the report which was produced by the surveillance company was never used. This was despite the report verifying that the employee was not housebound.

Given the above it is the Commissioner’s view that there were not sufficient grounds at this early stage of the employee’s sickness absence to justify the authorisation of covert surveillance.