While much happened this week in privacy news; the NSA’s surveillance was deemed likely unconstitutional, consent was declared dead, the data broker industry was put on notice by a U.S. senator and the EDPS released its 2014 inventory, the news that hit home for us was that Peter Fleischer and two other Google executives were acquitted in Italy’s Supreme Court after an eight-year battle over whether they were legally responsible for content that users uploaded to Italy’s version of YouTube. Back in the day, the implications of this case were a little scary for privacy pros around the globe, and it seems now it’s finally over. Take a look at this and all the week’s developments in privacy law in this Privacy Tracker weekly roundup.
Sen. Proposes Employee Credit Privacy Bill
Sen. Elizabeth Warren (D-MA) has introduced the Equal Employment for All Act, which would prohibit employers from requiring job applicants to disclose their credit history as part of the application process, repots International Business Times. Warren says the practice stacks the deck against poorer workers and can create a vicious cycle. Norm Magnuson, vice president of public affairs for the Consumer Data Industry Association says the organization supports the use of credit reports in qualifying potential employees, adding that in some cases the reports could show a pattern of irresponsible behavior.
How CalOPPA Changes Affect the App Industry
This article from Wired outlines the impact recently passed amendments to the California Online Privacy Protection Act will have on the app industry. The provision stating that publishers must “disclose whether third parties may collect Personally Identifiable Information over time from different websites” poses particular concern to app developers because of their methods of tracking users. The report also states, “Browser and app developers need to decide what ‘Do-Not-Track’ signals their products should offer and how to communicate the functionality to consumers and operators of commercial websites or online services."
Congresswoman Pushes for Health Exchange Notification Law
Rep. Diane Black (R-TN) has introduced legislation to require the government to notify individuals if their personal information is breached through the Affordable Care Act's insurance exchanges. National Journal reports that H.R.3731 is part of a larger partisan campaign maintaining that “the exchanges are putting personal data at risk.”
Ohio Passes Student Data Privacy Bill
The Ohio House of Representatives has passed HB 181, legislation that prohibits schools from sharing students’ personal information with any federal, state or local entity without school board authorization, except in certain circumstances, reports the Perry Tribune. The law also requires the state department of education to publish data inventory policies and procedures yearly as well as provide data collection information to the General Assembly.
Two Education Privacy Bills Pass Committee in Wyoming
The Select Committee on Education Accountability has approved two bills sponsored by Sen. Bill Landen (R-Casper) involving the state’s Department of Education. The first would create a provision in the current law barring it from committing the state to “federal oversight or regulation” and also giving it the “authority to develop an education program without excessive oversight,” reports the Star-Tribune. The second requires the department’s directors and those of the Department of Enterprise Services to develop a data security plan and contains language used in other state’s student privacy laws.
Will GAO Report Spur Action from Congress?
Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, "Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace." The report recommends that Congress "consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information." Rockefeller is expected shortly to issue his own report on the topic, and the Federal Trade Commission is also preparing a report expected in early 2014. In this exclusive for Privacy Tracker, the Hogan Lovells privacy team looks at what the GAO examined and, in the short term, how Congress might respond to the GAO’s findings and, when they are published, Rockefeller’s. Are stronger consumer privacy protections on the way?
Federal Judge Rules NSA Program Likely Unconstitutional
A federal judge has ruled that the U.S. National Security Agency’s phone metadata collection program is likely unconstitutional, Politico reports. U.S. District Court Judge Richard Leon, an appointee of former President George W. Bush, said the program appears to violate the Fourth Amendment and the Justice Department has not successfully demonstrated that the program has thwarted terrorism. This roundup for The Privacy Advisor looks into the ruling and gathers together media reactions.
Unpacking the Klayman v. Obama Decision
On December 16, the District Court in the District of Columbia issued an opinion finding that the National Security Agency’s (NSA) surveillance program was likely unconstitutional. In Klayman v. Obama, five plaintiffs sued a variety of government officials and private companies seeking preliminary injunctive relief based upon the assertion that the NSA program was unconstitutional and violated other statutes. In what ended up making big news, the court concluded there was a substantial likelihood the plaintiffs would prevail on their Fourth Amendment claims and issued an injunction. In this Privacy Tracker blog post, Andrew Serwin, CIPP/US, CIPP/E, CIPP/G, unpacks the court’s decision. (IAPP member login required.)
Can Plaintiffs' Lawyers Fill the DPA Role?
Recent Privacy Perspectives blog posts have discussed whether the Federal Trade Commission (FTC) and state attorneys general serve as de facto data protection authorities in the U.S. “Both sides are correct,” writes Jeff Kosseff, CIPP/US, “The FTC and state attorneys general help set the general requirements for privacy and data security, just as DPAs do in Europe.” Kosseff, a privacy and communications associate for Covington & Burling, writes, “But another group is playing a role in the shaping of U.S. privacy and not always in a way that benefits society.” In this installment of Perspectives, Kosseff points out that “the priorities of plaintiffs’ lawyers differ from those of independent government data protection authorities” and that “some have argued that class-action lawyers often lead to settlements that provide substantial attornies' fees for plaintiffs’ counsel and very little for individual class members.”
Sen. Tells Data Broker Industry They're On Notice
In a Senate Commerce Committee hearing on Wednesday, Sen. Jay Rockefeller (D-WV) had harsh words for the consumer data broker industry. “We have a feeling people are getting scammed or screwed,” he said. The hearing focused on the use of consumer marketing data and followed the release of Rockefeller’s report on the industry, which said that Acxiom, Epsilon and Experian were not as forthcoming with their answers to Rockefeller’s investigation as he would have liked. Rockefeller warned he may use more forceful means of getting them to share such insights, AdAge reports. Experian Senior VP of Government Affairs and Public Policy Tony Hadley defended his company’s practices and said it has safeguards to ensure bad actors do not get consumer lists. In chilling testimony, the World Privacy Forum’s Pam Dixon discussed some of the disturbing use of data, including the selling of rape victim lists, home addresses of police officers and names of those with genetic illnesses. Rockefeller said the committee will continue to shine a spotlight on the industry.
EDPS Releases 2014 Inventory
The European Data Protection Supervisor (EDPS) has released its 2014 inventory, a strategic planning document highlighting key areas of focus for the year ahead. "As the second mandate of the EDPS will come to an end in early 2014, it is appropriate to highlight that privacy and data protection have now become relevant in a wide range of EU policies,” said outgoing EDPS Peter Hustinx, adding, “The recognition of privacy and data protection as fundamental rights means that their delivery in practice must remain a high priority on the EU political agenda.” Among the key areas of strategic importance for 2014 are a new legal framework for data protection and rebuilding trust in global data flows.
Yes, Consent Is Dead and Giving It a Central Role Is Dangerous
At the just-concluded IAPP Data Protection Congress in Brussels, the audience heard a bold proposal from closing keynote Viktor Mayer-Schönberger: “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” Contemporary ideas of notice and consent, he argued, are a farce. In this installment of Privacy Perspectives, Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, explores the role of consent, noting that EU data protection law is predicated on it. “But does this approach still hold true?” he asks. “Can we—as individuals—really have a meaningful degree of control over the vast amount of information we generate?”
LIBE Committee: Suspend Safe Harbor, Create EU Cloud, Don't Negotiate on Privacy
A preliminary conclusion by the European Parliament’s Civil Liberties Committee (LIBE) into the surveillance of EU citizens by the U.S. National Security Agency recommends that the parliament agree to a trade deal with the U.S. only if it does not mention data protection and that Safe Harbor be suspended, according to its website. Lead MEP Claude Moraes also recommended the “swift” creation of an EU data storage cloud and judicial redress for EU citizens to protect their data in the U.S. Meanwhile, the UN General Assembly unanimously adopted a resolution calling for protecting the right to privacy against unlawful surveillance, according to the Associated Press. The resolution calls on all 193 UN member states “to respect and protect the right to privacy, including in the context of digital communication.”
Parliament Backs New Cloud Resolution
The European Parliament is backing a new cloud computing resolution “in response to actions the European Commission (EC) has set out under its cloud computing strategy,” Out-Law.com reports. The EC is engaging the European Telecommunications Standards Institute (ETSI) to help determine the new standards required for cloud services, the report states. In their resolution, MEPs welcomed ETSI's participation, noting the standards "should enable easy and complete data and service portability, and a high degree of interoperability between cloud services, in order to increase rather than limit competitiveness.” The resolution also asks the commission to provide guidelines for businesses to "ensure full compliance with the EU’s fundamental rights and data protection obligations."
CNIL Issues Cookie Guidance, Calls for Debate on "Surveillance Society"
Supreme Court Acquits Google Execs in Privacy Case
According to his personal blog, Google Global Privacy Counsel Peter Fleischer and two additional “Googlers” have been acquitted by the Italian Supreme Court of violating Italian privacy law. In 2010, an Italian court convicted the three employees for failing to comply with Italian privacy code in the case of a disparaging video of a young person that appeared online. “An eight-year legal saga has now come to an end,” wrote Fleischer, adding, “And although I have never met him, I hope that young man who was humiliated in the video that generated this case lives with dignity and happiness.” Fleischer also said the Supreme Court “will issue its written opinion in due course.”