Facebook defends second privacy lawsuit in US

Facebook is defending a lawsuit filed last week in the US alleging that its face-recognition technology breaches a law prohibiting collection of biometric data without informed written consent. At the centre of the challenge is the feature which scans faces of users' photos and suggests tags as users have not consented to the collection and storage. Damages of USD 5,000 per violation are being sought for the “intentional and reckless” violation in the class action led by plaintiff Carlo Licato.

Landmark US decision determines expert evidence subject to legal privilege

A US court has issued a decision this week following the hack of Genesco's data systems between 2009 and 2010 crucial to the treatment of cybersecurity experts' evidence in court. Visa levied fines of over USD 13 million against Genesco for PCI DSS failings and in response Genesco brought a lawsuit against Visa in the federal court. The court denied Visa's requests for discovery on the basis that cybersecurity experts' work is subject to attorney-client privilege and ratified the use of counsel as the key lead in data breach investigations.

Amazon Web Services agreement approved by Article 29 Working Party

Amazon Web Services' data protection agreement has been approved by the EU's Article 29 Data Protection Working Party. This agreement gives EU customers, who store data on Amazon servers outside Europe the same level of data protection offered to those with data stored in Europe. Amazon's web servers are widely used across Europe as they allow users temporary rental of large numbers of cloud-based virtual servers.  The approval is likely to allow vendors to outsource data processing to the US where it is cheaper, without compromising consumer protection.

US Spokeo case likely to affect class-actions

The Supreme Court agreed on Monday to hear a case likely to have affect class-actions by consumers against Internet companies who violate data and privacy laws. The action concerns search site Spokeo Inc who allegedly published incorrect information about a Virginia man's age and education, harming his prospects of employment. Spokeo argue that they fall outside of the law on consumer reporting as they are merely a search engine. The case has important implications for search engines such as Google who may see themselves subject to future class actions where they hold incorrect information which may cause harm to those it relates to.

UK railways vulnerable to cyber attack

Networked electronic and radio systems expert Professor David Stupples has highlighted serious flaws in the new digital signalling technology European Rail Traffic Management System (ERTMS) which is planned to be implemented in the UK in the 2020s. ERTMS is fundamental to creating a safer rail network in the EU but Stupples has highlighted security weaknesses which leave it open to hacking by an insider, potentially causing "major disruption" for the UK rail system.

Argentina Data Protection Authority adopts new Do Not Call and CCTV rules

New rules are in place to combat use by marketers of robocalls and covert video surveillance. They capture international data transfers or calls to overseas recipients and CCTV rules require the privacy of data subjects to be protected, including a sign showing their identity. Companies in breach face up to USD 12,000 fines.

Japan to discuss radical privacy reforms

The Japanese Diet (Parliament) held discussions on Friday 23 April around the need for imminent privacy law reform. The debate extended to the use of anonymous data, interaction with the EU and APEC, the use of drones and whether to establish an independent data protection authority. Further discussions are to continue in May and are expected to herald substantial changes in the country's privacy framework.