DBR ON DATA

Security, Privacy and Information Governance

Author: Yodi Hailemariam (page 2 of 3)

Strava’s Heatmap & IoT Devices

Share

Online fitness tracking app Strava recently published a “heatmap” of data showing the physical movement paths of Strava users around the globe.  The Strava app uses mobile phones’ GPS in conjunction with wearable fitness trackers, such as Fitbit, Garmin, and Xiaomi Mi, to track users’ physical activities, capture performance metrics like speed, pace, and distance, analyze users’ performance, and compare performance metrics with other users.  As useful as this information is to Strava users, it became widely known in late January 2018 that Strava’s heatmap, easily available to the public, shows the movement of soldiers and military personnel in different global locations.  This information can be used to identify, with explicit detail, the location and layout of foreign physical military installations in countries such as Syria and Afghanistan.

Strava’s heatmap, which was updated in November 2017, is a visualization of the company’s global network of athletes.  According to Strava, the heatmap is the “largest, richest, and most beautiful dataset of its kind,” and consists of the following data points:

  • 1 billion activities
  • 3 trillion latitude/longitude points
  • 13 trillion pixels rasterized
  • 10 terabytes of raw input data
  • A total distance of 27 billion km (17 billion miles)
  • A total recorded activity duration of 200 thousand years
  • 5% of all land on Earth covered by tiles

Strava notes that the platform has numerous privacy rules in place, including an enhanced privacy mode, the exclusion of some or all private activities, the cropping of activities to respect user defined privacy zones, and the option to opt-out of contributing data to the heatmap.

Strava’s heatmap highlights a variety of issues associated with the deployment of  Internet of Things (IoT) devices.  The IoT, a broad category of technology that is generally understood to include physical devices that can collect and share data and connect to the Internet, is quickly changing every aspect of our lives, from the way we work and how we purchase goods and services to how we exercise and how well we sleep.  How these devices connect with other devices as well as consumer expectations continue to evolve is this largely unregulated space.

The FTC’s 2012 report, “Protecting Consumer Privacy in an Era of Rapid Change,” provides further insight.

United States Is First Country to Join APEC Privacy Recognition for Processors Program

Share

The United States recently became the first country to participate in the new Asia-Pacific Economic Cooperation (“APEC”) Privacy Recognition for Processors (“PRP”) program.  Finalized in 2016 and designed to certify privacy compliance for personal information processors within the Asia-Pacific region, the PRP program offers a trustmark certification to processors that demonstrate their capacity to assist data controllers in complying with relevant privacy obligations.  According to APEC, the PRP program was created so that (1) data controllers are able to identify qualified data processors to implement data controllers’ data processing obligations, (2) data processors are able to demonstrate their ability to provide effective implementation of a controller’s privacy requirements, and (3) small and medium-sized institutions are able to gain exposure and visibility into a global data processing network.  Continue reading

Singapore Addresses Confidentiality of Electronic Patient Records in New Healthcare Services Bill

Share

Singapore’s Ministry of Health (MOH) recently drafted a new Healthcare Services (HCS) Bill aimed to bridge the gap between the country’s changing healthcare needs and technological advances.  According to the MOH, the healthcare landscape in Singapore is undergoing significant changes, including an ageing population, increased chronic disease prevalence, and advancements in medicine and health technologies.  The HCS Bill will “better safeguard the safety and well-being of patients, while enabling new and innovative services that benefit patients to be developed, in the changing healthcare environment.”

Currently, healthcare providers in Singapore are licensed and regulated under the Private Hospitals and Medical Clinics Act (PHMCA), which was designed to protect patient safety through the licensing of physical healthcare premises.  But, brick and mortar locations are quickly becoming a thing of the past as more and more healthcare services are delivered through mobile and online channels.  MOH intends to respond to this shift by repealing the PHMCA and replacing it with this new HCS Bill.

Continue reading

VTech Settlement Resolves COPPA Allegations in FTC’s First Connected Toy Case

Share

The Federal Trade Commission announced a settlement with VTech Electronics Limited and its U.S. subsidiary in the FTC’s first case involving Internet-connected toys.

VTech had been charged with violating the FTC Act and the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children without providing direct notice and obtaining their parent’s consent, as well as failing to properly secure the data it collected.  The settlement includes a payment of $650,000 in civil penalties, injunctive relief, and the establishment of a comprehensive security program.

Background

VTech, a Hong Kong corporation, and VTech Electronics North America, advertise, market and distribute electronic learning products (ELPs).  The companies offer online games available through the ELPs and operate the Learning Lodge Navigator online service, a platform similar to an app store that allows customers to download child-directed apps, games, e-books and other online content.  As of November 2015, approximately 2.25 million parents had created accounts with Learning Lodge for nearly 3 million children, according to the FTC.

Continue reading

EU May Soon Decide “Adequate” Status for Japan

Share

The European Union (EU) may soon decide whether Japan will have “adequate” status for transfers of personal data from the EU.  Reuters reported on December 15, 2017 that the European Union is aiming to finalize a data transfer agreement with Japan by early 2018.

Set to be implemented in May 2018, the EU’s General Data Protection Regulation (GDPR) will require that EU citizens’ personal data be transferred to only countries  with an adequate data protection status, forbidding companies from storing EU citizens’ personal data in foreign countries deemed to have an “inadequate” level of privacy protection.

Under the EU’s privacy framework, the European Commission has the power to determine, based on Article 25(6) of Directive 94/46/EC, whether a foreign country has an “adequate” level of data protection under that country’s domestic laws or international commitments.  If a foreign country is deemed adequate, personal data can flow from the 28 EU countries (and three EEA member countries of Norway, Liechtenstein, and Iceland) to the foreign country without further safeguards.

The commission has so far deemed only 12 countries – Andorra, Argentina, Canada, Switzerland, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, the United States (under the EU-US Privacy Shield), and Uruguay – as providing adequate protection.  The EU does not include the United States among its adequate protection countries. But Decision 2016/1250 on the adequacy of protection of the EU-US Privacy shield, commonly known as the EU-US Privacy Shield, was designed as a program whereby participating US companies or companies doing business in the US are deemed to have adequate protection.

An adequacy determination for Japan would be monumental for Japanese companies and companies doing business in Japan, with EU Justice Commissioner Vera Jourova recently stating that”[a]n adequacy decision would be great news for business as it would allow for the transfer of personal data from the EU to Japan without the need for extra authorisations.”

Human Rights Watch Denounces China’s Big Data Policing

Share

An international human rights organization is urging the Chinese government to stop building big data policing technologies that aggregate and analyze citizens’ personal information.  Though governments collecting information about its citizens is not new, China has begun pursuing newer and ambitious technologies, such as big data analytics, facial recognition, and cloud computing, to better and more quickly aggregate, mine, and leverage personal information.
Continue reading

Older posts Newer posts

© 2018 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy