EPIC logo

                              E P I C   A l e r t
Volume 16.03                                          February 23, 2009

                                Published by the
                   Electronic Privacy Information Center (EPIC)
                                Washington, D.C.


			"Defend Privacy. Support EPIC."

Table of Contents
[1] Facebook Reverses Terms of Service on Eve of EPIC Complaint
[2] Federal Court Upholds Opt-In Privacy Rule for Telephone Services
[3] Trade Commission Issues Guidelines for Behavioral Advertising
[4] Homeland Security Appoints New Chief Privacy Officer
[5] Final Medical Privacy Rules Adopted in Congress
[6] News in Brief
[7] EPIC Bookstore: "In Confidence"
[8] Upcoming Conferences and Events
        - Join EPIC on Facebook http://epic.org/facebook
  	- Subscription Information
  	- Privacy Policy
  	- About EPIC
  	- Donate to EPIC http://epic.org/donate

[1] Facebook Reverses Terms of Service on Eve of EPIC Complaint

On February 18, 2009, hours before EPIC planned to file a complaint
with federal regulators regarding changes to Facebook's Terms of
Service, the social network service restored the original policy.
Facebook also committed to a more transparent, participatory process
regarding future changes to its Terms of Service, a process that
"reflect[s] the principles and values of the people using the service."
"Facebook users will have a lot of input in crafting these terms," the
company promised.

The modified Terms of Service were announced on February 4, were widely
criticized, and were to be the subject of the EPIC Federal Trade
Commission complaint. EPIC observed that the modified Terms of Service
included several material changes, which adversely impacted Facebook
customers, eviscerated wide-recognized privacy rights, and unilaterally
and retroactively transferred control of user generated content to
Facebook. These modifications were made without any meaningful notice
to Facebook users. EPIC noted that the unilateral transfer of rights to
Facebook was an unfair and deceptive business practice. Facebook users
observed that, under the revised policies, Facebook asserted broad,
permanent, and retroactive rights to users' personal information - even
after they deleted their accounts. The EPIC complaint was supported by
more than a dozen consumer and privacy organizations. 

Facebook's original Terms of Service stated "[w]hen you post User
Content to the Site, you authorize and direct us to make such copies
thereof as we deem necessary in order to facilitate the posting and
storage of the User Content on the Site." The original Terms of Service
also promised "[y]ou may remove your User Content from the Site at any
time. If you choose to remove your User Content, the license granted
[to Facebook] will automatically expire..." These clauses allow
Facebook to make use of user-generated information in a manner that is
consistent with typical privacy laws, which permit the business use of
customer data for purposes that are necessary or incident to the
provision to the service.

Facebook's modified Terms of Service removed language regarding
deletion of users' content from Facebook and the expiration of
Facebook's right to use such content. The modified terms also omitted
the provision limiting Facebook's use of user data to activities
incident to providing the service. The modified terms permitted
Facebook to utilize users' personal information for any purpose 
including explicitly the commercialization and monetization of Facebook
users' names and likenesses  for Facebook's benefit. Facebook's
modified Terms of Service asserted greater rights to user data than
policies established by similar services, including MySpace, Yahoo, and

In response to user concerns, Facebook has established a new Group
Facebook Bill of Rights and Responsibilities and is seeking comments
from users. The page includes these statements from the company:

1. You own your information. Facebook does not. This includes your
photos and all other content.
2. Facebook doesn't claim rights to any of your photos or other
content. We need a license in order to help you share information
with your friends, but we don't claim to own your information.
3. We won't use the information you share on Facebook for anything
you haven't asked us to. We realize our current terms are too broad
here and they make it seem like we might share information in ways
you don't want, but this isn't what we're doing.
4. We will not share your information with anyone if you deactivate
your account. If you've already sent a friend a message, they'll
still have that message. However, when you deactivate your account,
all of your photos and other content are removed.
5. We apologize for the confusion around these issues. We never
intended to claim ownership over people's content even though that's
what it seems like to many people. This was a mistake and we apologize
for the confusion.

Previous EPIC complaints at the FTC have related to Microsoft Passport,
Choicepoint, and the Google-Doubleclick merger. In 2001, EPIC's privacy
complaint spurred federal regulators to investigate Microsoft's business
practices, and resulted in substantial modifications to the software
giant's Passport service. EPIC's 2004 complaint concerning data broker
Choicepoint resulted in the biggest privacy judgment in the Commission's
history. In 2007, EPIC urged the FTC to impose privacy safeguards on the
Google/DoubleClick merger, supporting strong privacy protections as a
condition of the deal.

EPIC's "Social Networking Privacy" page:

Facebook Group  "People Against the new Terms of Service (TOS)":

Facebook Statement Regarding Reversion to the Original Terms of Service:

Facebook's Terms of Service:

Facebook Bill of Rights and Responsibilities:

EPIC's Choicepoint page:

EPIC's Microsoft Passport page:

EPIC's page concerning the Google-Doubleclick merger:

EPIC's Group Page on Facebook:

[2] Federal Court Upholds Opt-In Privacy Rule for Telephone Services

On February 13, 2009, the federal court of Appeals for the District of
Columbia upheld telephone privacy regulations that require phone
companies to obtain affirmative, opt-in consent from customers before
they disclose personal information to outside corporations. At issue
was an April 2, 2007 Federal Communications Commission order that
protects consumers' telephone record information. The National Cable &
Telecommunications Association challenged the privacy rule, claiming
that companies have a free speech interest in disclosing their
customers' personal information without their opt-in consent. The
industry group asked the court to invalidate federal regulators' opt-in
requirement, and replace it with an opt-out regime, which provides less
protection for customers' privacy.

EPIC filed a "friend of the court" brief in the case urging support for
opt-in safeguards for telephone customers. The EPIC brief was filed on
behalf of consumer and privacy organizations, technical experts, and
legal scholars. "Consumers have a legitimate expectation of privacy
with respect to sensitive personal information such as whom they call
on a telephone," the EPIC brief said. "An opt-out policy would provide
neither adequate protection for consumer data nor sufficient notice
to consumers."

The federal appellate court ruled that the privacy regulations advance
a substantial government interest, and do not violate telephone
companies' free speech rights. The opinion recognizes that "the
government has a substantial interest in protecting the privacy of
customer information and that requiring customer approval advances that
interest." "The privacy of customer information cannot be preserved
unless there are restrictions on the carrier's disclosure of it," the
Court wrote. "The carrier's sharing of customer information with a
joint venturer or an independent contractor without the customer's
consent is itself an invasion of the customer's privacy."

The Opinion recognizes EPIC's critical role in spurring adoption of the
privacy rules at issue in the case. In August 2005, EPIC filed a
petition urging the FCC to require security measures to protect access
to consumers' personal telephone information from pretexters and other
unauthorized parties. On July 9, 2007, EPIC filed detailed comments
asking the FCC to implement additional safeguards for consumer
telecommunications data. EPIC's proposals included encryption of
sensitive data, the implementation of audit trails, and limitations on
data retention.

The FCC rule prohibits companies from sharing "customer proprietary
network information" with third parties without a consumer's opt-in
consent. Customer proprietary network information (CPNI) is the data
collected by telecommunications corporations about a consumer's
telephone calls. It includes the time, date, duration and destination
number of each call, the type of network a consumer subscribes to, and
any other information that appears on the consumer's telephone bill.
EPIC has detailed the privacy violations that have resulted from
unauthorized disclosure of CPNI. Such violations include pretexting,
stalking, and the widespread sale of individuals' phone records on the

The Telecommunications Act of 1996 required telecommunications
companies to obtain customers' approval prior to sharing their CPNI
with third parties. However, there was a difference of opinion on the
interpretation of "approval." EPIC and other privacy advocates and
consumer rights groups argued that "approval" required that a consumer
give positive, express consent to the sharing of information: that is,
to "opt-in" to the marketing scheme. Telecommunications industry
entities supported a presumption of consent  an opt-out system. The
FCC rule clarified that the law requires "opt-in consent." The National
Cable and Telecommunications Association challenged the FCC rule,
alleging that corporations had a First Amendment right to share CPNI
with third parties for marketing purposes. Similar arguments were
rejected by federal courts in Trans Union v. FTC, 245 F.3d 809 (D.C.
Cir. 2001) and IRSG v. FTC, 145 F. Supp. 2d 6, No. 00-1828 (D.D.C.
2001) following an earlier decision, US West v. FCC, 182 F.3d 1224
(10th Cir. 1999) that had been widely criticized.

D.C. Circuit Court Decision Upholding Telephone Privacy Rule:

EPIC's "friend of the court" brief:

EPIC's NCTA v. FCC Web Page:

EPIC's CPNI Web Page:

FCC Order Regarding CPNI opt-in:

EPIC's 2005 Petition to the FCC:

EPIC's July 9, 2007 Comments to the FCC:

US West v. FCC - Privacy of Phone Records:

[3] Trade Commission Issues Guidelines for Behavioral Advertising

The Federal Trade Commission released a set of voluntary guidelines in
an effort to balance the "potential benefits of behavioral advertising"
against privacy concerns. The new guidelines attempt to encourage
privacy protections while maintaining a competitive marketplace. The
report is based on the examination of tracking, targeting and
advertising online.

The report stated that depending upon the circumstances, a company
whose practices fell outside the Principles may still be required to
implement reasonable measures to address privacy or security risks to
consumer information; companies should not unilaterally alter their
policies and use previously collected data in a manner materially
different from the original terms; and companies should also look into
the federal and state law that may apply to their business.

The staff considered the applicability of the Principles not only to
the collection and use of personally identifiable information but also
the non-personally identifiable information. The staff was of the
opinion that in the context of online behavioral advertising, the
traditional notion of what constitutes PII versus non-PII was becoming
blurred and should not by itself determine the protections necessary
for consumer data. The staff considered the possibility of harm through
1) linking or merging non-PII with PII; 2) technologies rendering
easier identification based on information considered non-PII;
3) information becoming identifiable when combined and linked by a
common identifier; 4)the delivery of advertising on shared computer
revealing private information to another user; and 5) available
evidence showing consumer concern about the collection of data online
regardless of PII/non-PII characterization. The staff adopted the
approach to include within the Principles' scope any data collected
for online behavioral advertising that could be reasonably associated
with a particular person or computer.

The staff was also of the opinion that "first party" behavioral
advertising were more likely to be consistent with consumer
expectations and less likely to lead to consumer harm and as such it
was not necessary to include "first party" behavioral advertising
practices within the scope of the Principles. The staff also agreed
that stronger privacy protections were necessary in sharing of data
with third parties. Finally, the report also stated that it was not
necessary for the Principles to cover contextual online advertising.

The guidelines set out four Principles: "1) transparency and
consumer control; 2) reasonable security and limited data retention
for consumer data; 3) affirmative express consent for material
retroactive changes to privacy promises; and 4) affirmative express
consent to (or prohibition against) use of sensitive data." In arriving
at the Principles, the staff of the Trade Commission considered
consumer expectations regarding the practices; the extent to which the
practices were transparent; the potential for consumer harm; and the
need to maintain vigorous competition in the online marketplace and
avoid stifling innovation. The Staff also noted that some of the
Principles were similar to the Commission law and policy.

With respect to transparency and consumer control, the report advocated
a clear, concise, consumer-friendly, and prominent statement about
collection and use of the information and a clear method of exercising
the option. The staff stated that any data collected should be retained
only as long as necessary to fulfill a legitimate business or law
enforcement need. The report also called for an affirmative express
consent for material changes to existing privacy promises. Finally,
companies were cautioned to collect sensitive data for behavioral
advertising only after obtaining affirmative consent from the consumer.

Additionally, with regard to privacy policies, the staff stated that
companies should design innovative ways outside of the privacy policy
to provide behavioral advertising disclosures and choice options. The
report also called upon the industry to develop self-regulatory regimes
for business models that effectively implement transparency and
consumer control principles.

Although Commissioner Pamela Jones Harbour voted to release the report,
she wrote a concurring statement stating that the report focused too
narrowly and preferred that the Commission take a more comprehensive
approach to privacy, and evaluate behavioral advertising within a
broader context. Commissioner Jon Leibowitz added that industry needed
to do a better job of meaningful, rigorous self-regulation failing
which could invite legislation by Congress and a more regulatory
approach by the Commission. The guidelines are partially in response
to EPIC's 2007 complaint regarding the Google-Doubleclick merger
raising concerns about the profiling of Internet users and the need
to establish clear privacy safeguards as a condition of the merger.

FTC Staff Report: Self-Regulatory Principles For Online Behavioral

FTC Staff Revises Online Behavioral Advertising Principles:

The Federal Trade Commission:

Concurring Statement of Commissioner Pamela Jones Harbour:

Concurring Statement of Commissioner Jon Leibowitz:

EPIC's complaint regarding Google-DoubleClick merger:

EPIC's page on Privacy? Proposed Google/DoubleClick Deal:

[4] Homeland Security Appoints New Chief Privacy Officer

The U.S. Department of Homeland Security Secretary announced the
appointment of the department's new Chief Privacy Officer, Mary Ellen
Callahan. She has been a partner in Hogan & Hartson LLP and her areas
of practice have included antitrust law, consumer protection law and
internet law. The Chief Privacy Officer is in charge of the DHS Privacy
Office which is the first statutorily required Privacy Office at any
federal agency whose goal is to maintain individual privacy while
achieving objectives of the DHS.

The DHS Privacy Office operates as the overseer of Section 222 of the
Homeland Security Act, the Privacy Act, the Freedom of Information Act,
Executive Orders, court decisions and Department policies that protect
the collection, use, and disclosure of personal and Departmental
information. The Privacy Office, as part of its outreach program, holds
public workshops to explore policy, law, and technology issues of
privacy and homeland security. The Privacy Office also has oversight
of the implementation of Freedom of Information Act. Further, under the
E-Government Act of 2002, an assessment of the privacy impact of any
substantially revised or new Information Technology System is mandated.
These assessments are published as Privacy Impact Assessments. The PIAs
of programs such as REAL ID, Fusion Centers, Secure Flight, US VISIT
and SEVIS have brought to the fore privacy issues entrenched within
those programs.

The primary responsibilities of the Chief Privacy Officer includes
assuring that the use of technologies sustain privacy protections
relating to the use, collection, and disclosure of personal
information; assuring that personal information contained in Privacy
Act systems of records is handled in full compliance with fair
information practices; evaluating legislative and regulatory proposals
involving collection, use, and disclosure of personal information by
the Federal Government; conducting a Privacy Impact Assessment of
proposed rules of the DHS or that of the Department on the privacy of
personal information; coordinating with the Officer for Civil Rights
and Civil Liberties to ensure that (a) programs, policies, and
procedures involving civil rights, civil liberties, and privacy
considerations are addressed in an integrated and comprehensive manner;
and (b) Congress receives appropriate reports on such programs,
policies, and procedures; and preparing a report to Congress on an
annual basis on activities of the Department that affect privacy,
including complaints of privacy violations, implementation of the
Privacy Act of 1974, internal controls, and other matters.

The Chief Privacy Officer has also the authority to investigate and
have access to all records available to the Department that relate to
programs and operations under his responsibilities; make such
investigations and reports relating to the administration of the
programs and operations as deemed necessary; require by subpoena the
production, by any person, of all information, and documentary evidence
necessary to the performance of the responsibilities; and administer to
or take from any person an oath, affirmation, or affidavit, whenever
necessary to performance of the responsibilities.

The Chief Privacy Officer reports to the Secretary of the DHS and
coordinates activities with the Inspector General for the DHS. The
Chief Privacy Officer also submits reports directly to the Congress
regarding the performance of the responsibilities and informs the
Committee on Homeland Security and Government Affairs of the Senate
and the Committee on Homeland Security when the Secretary disapproves,
modifies or does not act on a request for subpoena.

The DHS Data Privacy and Integrity Advisory Committee has recently
submitted a series of recommendations for the new DHS Privacy Office.
EPIC has also made several recommendations, including the immediate
termination of the DHS-funded "Fusion Centers."

Secretary Napolitano Appoints Mary Ellen Callahan as
DHS Chief Privacy Officer:

The Department of Homeland Security:

DHS Privacy Office - About the Privacy Office:

The Privacy Office of the U.S. Department of Homeland Security:

Letter to DHS Secretary Janet Napolitano from Chair, DHS
Privacy and Integrity Advisory Committee, Feb. 4, 2009:

EPIC's page on Fusion Centers:

Rotenberg, The Sui Generis Privacy Agency: How the United States
Institutionalized Privacy Oversight After 9-11:

[5] Final Medical Privacy Rules Adopted in Congress

On February 17, 2009, President Barack Obama signed into law the
American Recovery and Reinvestment Act of 2009. The Act contained
various measures that promotes strong medical privacy safeguards. The
new law amends the Public Health Service Act and the Social Security
Act by adding and clarifying key definitions; sets up new offices;
committees for promotion of health information technology; and assigns
their powers, duties and responsibilities.

Subtitle A of the Act establishes the Office of the National
Coordinator for Health Information Technology under the Department of
Health and Human Services. The ONCHIT is charged with the
responsibility of developing a nationwide health information
technology infrastructure that allows for the electronic use and
exchange of information while ensuring multiple medical privacy
protections. The ONCHIT must also review and determine standards,
specifications and certification criteria. Other authorities created by
the Act are the HIT Policy Committee and the HIT Standards Committee.
The ONCHIT is to serve as the liaison among the two Committees and the
Federal Government.

A Chief Privacy Officer of the ONCHIT is also to be appointed within
12 months to advise the ONCHIT on privacy, security and data
stewardship of electronic health information and coordinate with other
agencies and their personnel.

The HIT Policy Committee is assigned the duty of making policy
recommendations to the National Coordinator relating to the
implementation of a nationwide health information technology. The HIT
Standards Committee has the responsibility of recommending standards,
implementation specifications and certification criteria to the
National Coordinator. The Act however makes it clear that the statute
does not apply to private entities or give authority to a Federal
agency to require a private entity to comply unless it enters into a
contract with the Federal Government to apply or use the standards and
implementation specifications. The National Institute for Standards
and Technology has been entrusted with the pilot testing of standards
and implementation specifications to assure efficient implementation.

Sections of the bill also mandate that agencies promoting quality and
efficient health care in Federal government or sponsored health care
programs agree that all health care providers and similar entities
utilizes health information technology systems and meet the standards
and specifications adopted under the bill.

Subtitle D of the statute deals with Privacy. A section defines
breach and sets forth exceptions. "Business Associate" and "Covered
Entity" are also defined. In case of data breaches, the covered entity
is to notify every individual reasonably believed to be affected by the
breach; and if a business associate of a covered entity suffers a data
breach, it must inform the covered entity about every individual whose
information  may have been affected. The statute also assigns the
Office of Civil Rights within the Department of Health and Human
Services to offer guidance and education to covered entities, business
associates and individuals on their rights and responsibilities to
Federal privacy and security requirements.

The new law prohibits the sale of protected health information in the
absence of a valid authorization. However, the law also contains
exceptions for public health activities, research, treatment and sale
to a business associate at the request of a covered entity under a
business associate agreement. Business associates of covered entities
can only obtain protected health information when under written
obligation and violations are met with civil and criminal penalties.
Further, marketing based on communication by a covered entity to a
business associate is not deemed to be a healthcare operation.

The statute also contains a clause that makes the standards governing
the privacy and security of individually identifiable health
information created under the Health Insurance Portability and
Accountability Act to remain in effect only to the extent they are
consistent with the American Recovery and Reinvestment Act. The
Secretary of the Department of Health and Human Services is also to
amend the Federal regulations consistent with the subtitle on Privacy.
Another provision of the Act designates the Secretary, in consultation
with the Federal Trade Commission, to conduct a study and submit a
report on privacy and security requirements for entities that are not
covered entities or business associates.

The Act limits the appropriation of funds in making significant
investments unless such investment would permit full and accurate
electronic exchange and use of health information in a medical record
with both security and privacy. Patient Privacy Rights led the campaign
or strong medical privacy protection to be included in the Stimulus
Bill. Senator Leahy also asked for the incorporation of some of the

The American Recovery and Reinvestment Act of 2009:

Subtitle D - Privacy:

Patient Privacy Rights:

Senator Leahy's statement on medical privacy:

EPIC's page on Medical Privacy:

[6] News in Brief

Supreme Court to Hear Arguments in Identity Theft Case

The US Supreme Court will hear oral arguments in Flores-Figueroa
v. US on February 25, 2009. Before the Court is this question: "In
order to prove aggravated identity theft, does the government need to
prove the defendant knew the identification he possessed belonged to
another person?" EPIC filed a friend of the Court brief in support of
the petitioner, Flores-Figueroa and explained that the crime of
identity theft should require an intent to impersonate another as
Congress made clear in the federal laws under review. The brief urges
the Court to not "set a precedent that might inadvertently render the
use of privacy enhancing pseudonyms, anonymizers, and other techniques
for identity management unlawful."

US Supreme Court, Docket, Flores-Figueroa:

Oyez, Flores-Figueroa v. US, No. 08-108:

EPIC, Flores-Figueroa v. US:

Stimulus Bill Grants One Billion Dollars for Airport Scanners

The American Recovery & Reinvestment Act signed by President Obama
contains a grant of $1 Billion for Aviation Security. The law
grants the sum for the "procurement and installation of checked baggage
explosives detection systems and checkpoint explosives detection
equipment." These equipments include "backscatter" X-ray machines
which show detailed images of a person's naked body, and are equivalent
to a "virtual strip search" for all air travelers. 

EPIC - Spotlight on Surveillance:

X-Ray Backscatter Technology and Your Personal Privacy:

TSA's page on Backscatter:

Massachusetts Postpones Data Privacy Rules to 2010

In November last year, the Commonwealth of Massachusetts became the
first state in the United States to enact data privacy and security
standards and regulations. Following a public hearing in January in
which businesses stated that it would be virtually impossible to
implement the new standards within the designated timeframe, the OCABR
decided to extend the time required to comply with the new regulations
till January 1, 2010. The OCABR decided on having comprehensive methods
to ensure that businesses have adequate safeguards to protect personal
information about Massachusetts residents. The new regulation prescribes
the minimum standards that are to be implemented. 

Standards for The Protection of Personal Information of Residents of
the Commonwealth (201 CMR 17.00):

201 CMR 17.00 Compliance Checklist:

FAQs regarding 201 CMR 17.00:

European Court of Justice Upholds Data Retention Directive

The European Court of Justice dismissed a legal challenge by Ireland
supported by Slovakia to the EU Data Retention Directive (2006/24/EC).
The directive pertained to retention of data generated or processed in
connection with the provision of publicly available electronic
communications services or of public communications networks. The Court
found that the directive was adopted on an appropriate legal basis; the
provisions of the directive are essentially limited to the activities of
service providers and do not govern access or use of the data by the
police or judicial authorities; and the data which falls in principle
within the domain covered by police and judicial cooperation in criminal
matters, have been excluded from the provisions of the directive.

Ireland v. Parliament and Council of EU, E.C.J. No. 301/06:

Directive 2006/24/EC of the European Parliament and of the Council:

Press Release No 11/09:

EPIC, Data Retention:

Social Networking Companies Agree to European Privacy Principles

Seventeen social-networking Web sites signed a voluntary a set of
networking principles in order to remove online bullying of children
and young people and how to protect their personal information. The
principles included 1) raising awareness of safety education messages
and acceptable use policies to users, parents, teachers and caregivers
in a prominent, clear and age-appropriate manner; 2) working towards
ensuring that services are age-appropriate for the intended audience;
3) empowering users through tools and technology; 4) providing easy-to
-use mechanisms to report conduct or content that violates the Terms of
Service; 5) responding to notifications of illegal content or conduct;
6) enabling and encouraging users to employ a safe approach to personal
information and privacy; and 7) assessing the means for reviewing
illegal or prohibited content/conduct. The companies included Facebook,
MySpace, Bebo, Microsoft Europe, Dailymotion, Google YouTube, and
Yahoo! Europe.

Safer Social Networking Principles for the EU:

European Union: Communications and Electronic Information -
Signing of Agreement on Social Networking:

EPIC, Social Networking Sites and Privacy:

ENISA Issues Paper on Privacy Features of eID Cards

The European Network and Information Security Agency released a
position paper on security features in European eID schemes. The eID
card is an authentication token as well as a personal data source. The
paper gives the first overview of the vast disparity between privacy
features in eID cards across Europe. eID cards are currently used
mainly for tax declarations and other e-government services, but
applications are branching out into the commercial sector. There is a
lack of coordinated strategy regarding protection of the private data
stored on the card which hinders interoperability and also limits

Privacy Features of European eID Card Specifications:

Revised Binding Corporate Rules on FAQ to include Third Party Rights

The Article 29 Working Party published a revised set of Frequently
Answered Questions about Binding Corporate Rules. BCRs are a legal
means for providing adequate protection to personal data which is
covered by Directive 95/46/EC and transferred out of the European
Union to countries that are not considered to provide an adequate
level of protection. The new FAQ includes principles which are
enforceable as third party beneficiary rights. They include purpose
limitation; data quality and proportionality; criteria for making the
processing legitimate; transparency and easy access to BCR; rights of
access, rectification, erasure, blocking of data and object to the
processing; rights in case automated individual decisions are taken;
security and confidentiality; restrictions on onward transfers outside
of the group of companies; national legislation preventing respect of
BCR; right to complain through the internal complaint mechanism of the
companies; cooperation duties with Data Protection Authority; and
liability and jurisdiction provisions.

Working Document on Frequently Asked Questions (FAQs) related to
Binding Corporate Rules (last Revised and adopted on 21 January 2009):

Working Document Setting up a framework for the structure of Binding
Corporate Rules:

[7] EPIC Bookstore: "In Confidence"

"In Confidence" by Ronald Goldfarb


Ronald Goldfarb's book examines confidentiality by delving into "its
justification, its rationales, its virtues, and its complexities" when
courts weigh its importance. His book reflects on the judicially
recognized rights of confidentiality extended or withheld to
governments and citizens; attorneys and clients; physicians and
patients; psychotherapists and patients; pastors and congregants; among
family members; businesses and customers; journalists and informants.
He posits that confidentiality is related to privacy, but they are not
the same thing. Goldfarb's book is packed with interesting history,
case studies, and legislative efforts to chart the way for
confidentiality. He defines confidentiality as a component set of
privacy rights. Privacy is a relatively new human right and one that
evolves with times, circumstances, people, customs, and beliefs.  The
views of philosophers, legal historians, and privacy experts are aired
in an interesting and thought provoking manner. The book is only 244
pages, but do not be misled - you must set aside some quiet time to
really get the best out of the experience of reading "In Confidence."

This book is written from the perspective of a very good legal mind. I
enjoyed the byplay of tension between what we may want as individuals
and what challenges society might place on confidential communications
between intimates. He advances Dean Wigmore's legal thinking as a
litmus test to determine when and how confidential matters should be
weighed in a judicial process if: "the communications were made in
confidence; the element of confidentiality is essential to maintain the
parties' relationship; there is a community need to 'sedulously' foster
the relationship; and the harm to the relationship caused by disclosure
would exceed any benefit from the disposal of the litigation," then the
matter at hand should not be disclosed. I would argue on the point
Goldfarb makes regarding the confidentiality of medical information or
the patient doctor privilege. He argues that modern medicine is not
performed on a person-to-person basis. The doctor and patient are by
necessity not the only parties to the medical information provided,
that office administrators, nurses, laboratory technicians, medical
service providers, insurance companies, and others must have routine
access to medical information to meet the medical needs of patients. He
argues that the lack of confidentiality is known by patients and that
the greater good of society might be served if medical information is
shared when it has broader implications for the health and safety of
others. History teaches well the lessons of illness and community -
the ill whether they be lepers of the 1st Century or HIV/AIDS victim of
the 1970s are clear. There may be just as much for the ill to fear from
the healthy. Effective treatment means early detection, and early
detection requires the cooperation and collaboration of those who may
be ill.

Confidentiality is an important aspect of the need to disclose
information to medical professionals for accurate diagnosis and
treatment. Legislative remedies is one source of help for those seeking
a hedge against privacy invasive technology, private or government
practices, or changes in policy that erode the right to be left alone.
However, the courts provide a valuable reprieve from the long path to
relief that might be provided by legislative or rulemaking processes.
The state and federal courts allow the affirmation or scoping out of
privacy rights in circumstances that are not clear or well established.
Speaking with a doctor, lawyer, priest, spouse, or mental health
professional have presence and legal history to support the role of
confidential communications within those relationships. He correctly
argues that there are other relationships that are just as vital to
society in which confidences should be maintained. He posed that
members of a family, parents and children, as well as siblings are
irrevocably connected in a relation that will last a lifetime. This
relation is not voluntary in nature and cannot be dissolved at will.
The benefit to the individual of physical, emotional, and other forms
of security are real. Damage to these relationships also have
consequences for the broader society, which should be recognized by
courts and protected under legal mandate. Goldfarb does an excellent
job at provoking and stimulating the thought processes around
confidentiality which is a slice of the privacy landscape. He lands
squarely on the side of fostering societal values around the right of
confidentiality and flushing out notions of privileged communications
based on "clear and commanding situations." I was glad to have had the
opportunity to review this book for the EPIC Alert.

--  Lillie Coney

EPIC Publications:

"Litigation Under the Federal Open Government Laws 2008," edited by
Harry A. Hammitt, Marc Rotenberg, John A. Verdi, and Mark S. Zaid
(EPIC 2008). Price: $60.

Litigation Under the Federal Open Government Laws is the most
comprehensive, authoritative discussion of the federal open access
laws. This updated version includes new material regarding the
substantial FOIA amendments enacted on December 31, 2007. Many of the
recent amendments are effective as of December 31, 2008. The standard
reference work includes in-depth analysis of litigation under Freedom
of Information Act, Privacy Act, Federal Advisory Committee Act,
Government in the Sunshine Act. The fully updated 2008 volume is the
24th edition of the manual that lawyers, journalists and researchers
have relied on for more than 25 years. 


"Information Privacy Law: Cases and Materials, Second Edition" Daniel
J. Solove, Marc Rotenberg, and Paul Schwartz. (Aspen 2005). Price: $98.


This clear, comprehensive introduction to the field of information
privacy law allows instructors to enliven their teaching of fundamental
concepts by addressing both enduring and emerging controversies. The
Second Edition addresses numerous rapidly developing areas of privacy
law, including: identity theft, government data mining and electronic
surveillance law, the Foreign Intelligence Surveillance Act,
intelligence sharing, RFID tags, GPS, spyware, web bugs, and more.
Information Privacy Law, Second Edition, builds a cohesive foundation
for an exciting course in this rapidly evolving area of law.


"Privacy & Human Rights 2006: An International Survey of Privacy Laws
and Developments" (EPIC 2007). Price: $75.

This annual report by EPIC and Privacy International provides an
overview of key privacy topics and reviews the state of privacy in over
75 countries around the world. The report outlines legal protections,
new challenges, and important issues and events relating to privacy.
Privacy & Human Rights 2006 is the most comprehensive report on privacy
and data protection ever published.


"The Public Voice WSIS Sourcebook: Perspectives on the World Summit on
the Information Society" (EPIC 2004). Price: $40.


This resource promotes a dialogue on the issues, the outcomes, and the
process of the World Summit on the Information Society (WSIS). This
reference guide provides the official UN documents, regional and
issue-oriented perspectives, and recommendations and proposals for
future action, as well as a useful list of resources and contacts for
individuals and organizations that wish to become more involved in the
WSIS process.


"The Privacy Law Sourcebook 2004: United States Law, International Law,
and Recent Developments," Marc Rotenberg, editor (EPIC 2005). Price:


The Privacy Law Sourcebook, which has been called the "Physician's Desk
Reference" of the privacy world, is the leading resource for students,
attorneys, researchers, and journalists interested in pursuing privacy
law in the United States and around the world. It includes the full
texts of major privacy laws and directives such as the Fair Credit
Reporting Act, the Privacy Act, and the OECD Privacy Guidelines, as well
as an up-to-date section on recent developments. New materials include
the APEC Privacy Framework, the Video Voyeurism Prevention Act, and the


"Filters and Freedom 2.0: Free Speech Perspectives on Internet Content
Controls" (EPIC 2001). Price: $20.


A collection of essays, studies, and critiques of Internet content
filtering. These papers are instrumental in explaining why filtering
threatens free expression.


EPIC publications and other books on privacy, open government, free
expression, crypto and governance can be ordered at:

EPIC Bookstore

"EPIC Bookshelf" at Powell's Books


EPIC also publishes EPIC FOIA Notes, which provides brief summaries of
interesting documents obtained from government agencies under the
Freedom of Information Act.

Subscribe to EPIC FOIA Notes at:

[8] Upcoming Conferences and Events

Department of Homeland Security Data Privacy and Integrity Advisory
Committee, Public Meeting, 9:00a.m. - noon, and 1:30p.m. to 4:00p.m.
February 26, 2009 at Galleries I and II of the Hilton Arlington
Hotel, 950 North Stafford Street, Arlington, Virginia.
For more information,

Annual BCLT/BTLJ Symposium
"Security Breach Notification 6 Years Later:  Lesson's Learned about
Identity Theft and Directions for the Future," March 6, 2009 at
UC Berkeley School of Law. For more information,

2009 Freedom Forum Freedom of Information conference:
"Freedom and Information: Looking Back and Looking Forward,"
11th annual National FOI Day Conference, Freedom Forum's Newseum,
March 13, 2009.
Contact: ahampton@freedomforum.org or call 202/292-6288

The IAPP Privacy Summit 2009 will be held between March 11-13, 2009,
at Washington, D.C. For more information, http://www.privacysummit.org

"Conference on International Aspects of Securing Personal Data,"
The Federal Trade Commission, Washington, D.C., March 16-17, 2009.
For more information, http://ftc.gov/opa/2008/12/datasec.shtm

UC Berkeley Law School, BCLT Second Annual Privacy Lecture,
"Confronting the Third Party Doctrine and the Privacy of Personal
Information," March 18, 2009 at Bancroft Hotel, 2680 Bancroft Way,
Berkeley, CA 94704. For more information,

Notice and Request for Public Comments by the Federal Trade Commission
on Digital Rights Management Technologies.
Event: Wednesday, March 25, 2009, Seattle, WA.
For more information,

"2nd Privacy OS Conference," MediaCentre, Berlin, Germany, April 1-3,
2009. For more information, http://www.privacyos.eu

"THE FUTURE OF PRIVACY: What's Next?" - a one day seminar.
April 28, 2009, Cartier Suites Hotel, 180 Cooper Street,
Ottawa, Canada. For more information,

"2nd Annual Research Symposium for the Identity, Privacy and
Security Initiative," , May 6, 2009, University of Toronto.
For more information, http://www.ipsi.utoronto.ca/site4.aspx

IEEE Symposium on Security and Privacy, May 17-20, 2009,
The Claremont Resort, Oakland, California. For more information,

Web 2.0 Security & Privacy 2009, Thursday, May 21,
The Claremont Resort, Oakland, California. For more information,

Computers, Freedom, and Privacy, 19th Annual Conference, Washington,
D.C., June 1-4, 2009. For more information,

"The Transformation of Privacy Policy," Institutions, Markets
Technology Institute for Advanced Studies (IMT)Lucca, Italy, July 2-4,

Join EPIC on Facebook

Join the Electronic Privacy Information Center on Facebook

Start a discussion on privacy. Let us know your thoughts.
Stay up to date with EPIC's events.
Support EPIC.

Subscription Information

Subscribe/unsubscribe via web interface:

Back issues are available at:

The EPIC Alert displays best in a fixed-width font, such as Courier.

Privacy Policy

The EPIC Alert mailing list is used only to mail the EPIC Alert and to
send notices about EPIC activities. We do not sell, rent or share our
mailing list. We also intend to challenge any subpoena or other legal
process seeking access to our mailing list. We do not enhance (link to
other databases) our mailing list or require your actual name.

In the event you wish to subscribe or unsubscribe your e-mail address
from this list, please follow the above instructions under "subscription

About EPIC

The Electronic Privacy Information Center is a public interest research
center in Washington, DC. It was established in 1994 to focus public
attention on emerging privacy issues such as the Clipper Chip, the
Digital Telephony proposal, national ID cards, medical record privacy,
and the collection and sale of personal information. EPIC publishes the
EPIC Alert, pursues Freedom of Information Act litigation, and conducts
policy research. For more information, see http://www.epic.org or write
EPIC, 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009. +1 202
483 1140 (tel), +1 202 483 1248 (fax).

Donate to EPIC

If you'd like to support the work of the Electronic Privacy Information
Center, contributions are welcome and fully tax-deductible. Checks
should be made out to "EPIC" and sent to 1718 Connecticut Ave., NW,
Suite 200, Washington, DC 20009. Or you can contribute online at:


Your contributions will help support Freedom of Information Act and
First Amendment litigation, strong and effective advocacy for the right
of privacy and efforts to oppose government regulation of encryption and
expanding wiretapping powers.

Thank you for your support.

------------------------- END EPIC Alert 16.03-------------------------