While U.S. federal lawmakers struggle to find the right balance on data breach notification, state legislators are offering up bills to protect consumers from tracking through cellphones, smart meters and license plates, and one company is pushing back against Utah’s license-plate privacy law, saying it infringes on First Amendment rights. This Privacy Tracker weekly roundup covers all this and more, including the FTC, G29 and APEC announcement of a cross-border data transfer tool at the IAPP’s Global Privacy Summit last week and the Mexican DPA’s warning of an “abundance” of fines to come.
Data Breach Reporting, a Struggle for U.S. Lawmakers and Businesses
In the absence of a federal law, businesses are forced to comply with widely varying and ever-changing state data breach notification laws, but there are hurdles in the path to compromise for lawmakers as well. There are five federal bills looking at these issues right now; Covington and Burling published a comparison article on them a couple of weeks ago, and the Associated Press now reports on lawmakers’ lack of consensus on the issue, highlighting some of the key sticking points. FCW reports that a recent hearing of the Financial Institutions and Consumer Credit Subcommittee of the House Financial Services Committee saw law enforcement officials pushing for federal reporting standards, noting they could aid investigators and consumers, and Attorney General Eric Holder called for a national consumer notification law in February.
U.S. Bill Would Grant Farmers More Privacy
A bipartisan group of senators has proposed a bill that would prohibit the Environmental Protection Agency (EPA) from sharing the personal information of livestock and poultry producers. Agri-Pulse reports that HR 4157 comes a year after the EPA, in complying with a Freedom of Information request, released producers' personal information to three environmental groups. The information included names, addresses and in some cases phone numbers and e-mail addresses of over 80,000 producers, and the EPA says it has no power to prevent this from happening again.
California Sen. Proposes Student Privacy Bill
California Sen. Darrell Steinberg (D-Sacramento) introduced a bill that would help safeguard personal information of public school students, reports Los Angeles Times. While government-funded schools are prohibited from sharing student data, private companies now have access to it through web-based educational tools. Steinberg’s bill aims to close this loophole in California by barring contractors from sharing student data.
Indiana Anti-Surveillance Bill on Its Way to the Gov
The Indiana Senate and House have both passed a bill that would require police to obtain search warrants before using drones, using cellphones to track individuals or demanding passwords for electronic devices among other restrictions, reports the Indianapolis Business Journal. HB 1009 now heads to the Governor for final approval.
Maryland Del. Proposes Smart-Meter Privacy Bills
Maryland Del. Glen Glass (R-Harford/Cecil County) has proposed two bills to protect consumer data collected by smart meters. HB 331 would prevent utilities from selling smart-meter data to third parties, and HB 332 would allow consumers to decline the installation of smart meters without having to pay excessive fees. Concerns have also been voiced about law enforcement’s use of this data.
Maryland Del. Proposes Bill Targeting Tracking in Brick-and-Mortar Retail
Del. Sam Arora (D-Montgomery) has introduced legislation in the Maryland General Assembly that would require brick-and-mortar retailers to provide notice if they are tracking shoppers using their cellphones, reports The Washington Post. HB 924 does not propose to end the practice but to notify consumers of it. Some retail organizations are against the measure; however, and the Future of Privacy Forum has built an opt-out list similar to that of the do-not-call list, but no retailers have pledged to abide by it. (Registration may be required to access this story.)
Maryland Sen. Proposes Cell, License-Plate Privacy Bills
Sen. Christopher Shank (R-Washington) presented to the Senate Judicial Proceedings Committee two bills: one that would limit government access to cellphone location data and one to limit license-plate tracking by police, the Associated Press reports. Shank developed the bills with Sen. Jamie Raskin (D-Montgomery), who submitted a drone privacy bill in January. The cellphone privacy bill would require police to get a search warrant before obtaining GPS data from cellphone companies and would require cellphone owners to be notified of the search within seven days of its completion. The license-plate privacy bill would limit police use of license-plate tracking cameras and would require police to destroy the data after 30 days.
South Dakota House Passes Student Privacy Bill
Following unanimous support from South Dakota’s Senate, SB 63 has now unanimously passed the House as well. In its fourth iteration, the bill charges the state Department of Education with creating security measures for student data, prohibits the sharing of student data with the federal government and prohibits school officials from asking about a student’s religious beliefs, gun ownership and seven other things, reports Rapid City Journal.
Company Sues Utah for Right To Surveil
Digital Recognition Network, Inc. (DRN) and Vigilant Solutions are suing the state of Utah for banning them from using automated cameras to collect images, locations and times of license plates, claiming that it violates their First Amendment rights, reports The Oregonian. DRN Counsel Michael Carvin says, "Everyone has a First Amendment right to take these photographs and disseminate this information," arguing that a license plate is inherently public information. ACLU Attorney Catherine Crump says this is “a complicated area where we are going to need to carefully balance First-Amendment rights of corporations versus individuals’ privacy rights," noting that First Amendment rights aren’t unlimited; “There are circumstances under which the government is free to regulate speech."
Utah Senate Approves Drone Privacy Bill
The Utah Senate has unanimously approved a bill that puts limits on police use of drones. The bill would require law enforcement to get a warrant before using drones and puts limits on what kinds of data drones can collect and over what period of time, reports the Associated Press. The bill now heads to the House.
DPAs, FTC Unveil Cross-Border Data Transfer Tool
After a year of collaboration on the effort, the U.S. Federal Trade Commission (FTC), together with data protection authorities from around the world, held a press conference at the IAPP Global Privacy Summit Thursday to announce a joint agreement between G29 and APEC countries aiming to aid companies in achieving compliance with global data transfers. Speaking for the group, Isabelle Falque-Pierrotin, chairwoman of the French Data Protection Authority (CNIL) and president of the Article 29 Working Party, said the tool, called a “referential,” is a “very political and symbolic act” for companies seeking to obtain double certification under Europe’s binding corporate rules (BCRs) and APEC’s cross-border privacy rules (CBPRs).
Proposition: EU Regulation with U.S. Penalties
Is the often abstract scholarship of privacy academics read by privacy regulators? It would seem that regulators may not have the time or inclination to read such work. On Wednesday, however, it was clear the answer was yes in many respects. Squeezed into a small room in the Rayburn House Office Building in Washington, DC, a handful of privacy scholars met briefly with some of the world’s most influential privacy regulators to discuss the future of public policy and the role of the privacy regulator as part of “Privacy Papers for Policy Makers,” co-organized by the Future of Privacy Forum and Rep. Sheila Jackson Lee (D-TX).
In the Privacy Debate, the Conventional Wisdom Is Wrong
Everybody knows the conventional wisdom: United States privacy law is weak and fractured, with neither comprehensive data protection legislation nor a dedicated privacy enforcement authority. The European Union is the gold standard of global privacy regulation, with its omnibus Data Protection Directive and collective force of 28 national data protection authorities. Alas, as is so often the case, conventional wisdom is wrong. In previewing two of his moderated conversations at the IAPP Global Privacy Summit, IAPP VP of Research and Education Omer Tene lays out just why that is in the latest installment of Privacy Perspectives. Meanwhile, Karlin Lillington writes for The Irish Times on "the obvious disjunct between mainstream American and European views on privacy."
ECPA Reform Gains Steam in House
The Hill reports that reform to the Electronic Communications Privacy Act (ECPA) is gaining steam in the House of Representatives. Privacy advocates have been frustrated of late, the report states, because reform has been stalled in the Senate. Reps. Kevin Yoder (R-KS), Tom Graves (R-GA) and Jared Polis (D-CO) have introduced the E-mail Privacy Act, and thus far, have 181 cosponsors. A spokesman for Yoder said they’re “pushing to get more.” Mark Stanley of the Center for Democracy and Technology said, “There’s a lot of growing support for that bill … A lot of members of Congress see this as a common sense thing.”
Data Security Remains in Congressional Spotlight
The Hill reports on two Congressional hearings this week aimed at unveiling data security issues and the potential for legislation. On Wednesday, the Financial Services subcommittee on Financial Institutions and Consumer Credit will hold a hearing to look into the nature of data breaches, what preventative measures are possible and whether technology can play a role in preventing breaches. The Congressional panel said the American public ought to know what protocols should “be in place when private- or public-sector entities mishandle, improperly disclose or otherwise fail to ensure the security of personal financial information.” Additionally, the House Science Committee will hold its own cybersecurity hearing on Thursday. Meanwhile, a man in Oregon has claimed to have received thousands of faxes allegedly meant for United Healthcare that contain sensitive personal information.
Judge: Insurer Doesn't Need To Defend Accused
A federal judge has said National Union Fire Insurance Company of Pittsburgh, PA, does not have to defend Coinstar and its Redbox, Inc. unit in a class-action that accuses them of “illegally keeping customers’ rental histories and then using the information for marketing purposes,” Law360 reports. U.S. District Judge John Coughenour granted the insurer’s motion for partial summary judgment, the report states. Meanwhile, U.S. District Court Lucy Koh has said attorneys representing consumers in a class-action against Google face a “huge hurdle” in obtaining class-action status. (Registration may be required to access this story.)
"Revenge Porn" Victim Awarded $500K in Civil Case
A jury in Texas has awarded a woman $500,000 in a “revenge porn” case, KTRK-TV reports. An ex-boyfriend blackmailed her and eventually published the material on the Internet. Though there is no specific law against it in Texas, two state lawmakers are working on legislation that would make revenge porn illegal. Critics, however, warn such a law could violate the First Amendment. One legal analyst said, “If you allow the state or federal government to restrict your speech in one instance, it could expand and get more restrictive over other matters and nobody wants that.” New Jersey and California have both outlawed revenge porn and other states are considering a similar move.
Canadian Officials: Don't Loosen Control Over Personal Data
The Globe and Mail reports on a paper presented by Ontario Information and Privacy Commissioner Ann Cavoukian, Berlin Data Protection and Freedom of Information Commissioner Alexander Dix and Prof. Khaled El Emam responding to proposals to change the OECD guidelines. Reducing controls over the collection and use of personal data, they write, would “weaken rather than strengthen” privacy, the report states. “Leaving it up to companies and governments to determine the acceptable secondary uses of personal data is a flawed proposition,” they write. Separately, Chief Electoral Officer Marc Mayrand appeared before MPs, CBC News reports, “pointing out that the government's proposed changes to election laws include letting parties have lists of who cast ballots.”
Amidst Breaches, Clayton Calls for Stronger Laws
Alberta Information and Privacy Commissioner Jill Clayton has asked Health Minister Fred Horne to “strengthen provincial privacy legislation to include mandatory disclosure of all health information breaches,” Edmonton Journal reports. In her letter Thursday, Clayton asked Horne “to consider amending the province’s Health Information Act, which requires ‘custodians’ to protect the personal health information of Albertans,” the report states, citing the recent revelations about the Medicentres data breach involving the health information of 620,000 Albertans. Meanwhile, CBC News reports a recent University Hospital Centre breach is being called "unprecedented," and PHIPrivacyNet reports on an incident at a Shoppers Drug Mart where a customer was given a note with a medication name on one side and “the names, medications and phone numbers of five different people” on the reverse.
Opinion: Canada Should Not Enforce FATCA
In an op-ed for The Toronto Star, James George Jatras criticizes the recent “so-called ‘intergovernmental agreement’ to enforce FATCA, the U.S. Foreign Account Tax Compliance Act, in Canada.” Among the issues he raises with that decision are questions about privacy. He writes that “even FATCA’s advocates concede that direct enforcement is ‘wholly unachievable’ due to privacy protection laws in many countries that don’t allow personal data to be sent to unauthorized recipients … The primary purpose of the agreement is to nullify protections under the Bank Act, the Personal Information Protection and Electronics Documents Act, the Canadian Human Rights Code and especially the Charter of Rights and Freedoms.”
Reding Highlights Data Portability While Stumping for New Regulation
Saying “Citizens should be able to transfer their data from one service provider, such as a social network, to another — just as they are able to keep their mobile number when changing telecoms operators,” EU Justice Commissioner Viviane Reding called strongly for passage of new data protection regulation in a speech this morning before the Justice Council. Noting the European Parliament will vote on the data protection package on March 12, she said the Commission supports the Greek Presidency’s language and that “transfers based on adequacy, on so-called appropriate safeguards (such as binding corporate rules) or on well framed derogations which are the exception not the rule” are sufficient mechanisms for international data transfer, which might raise questions about the future of Safe Harbor. However, one report says Great Britain will be bent on filibustering progress.
CNIL Guidelines Address Online Purchases, More
Hunton & Williams’ Privacy and Information Security Law Blog examines new guidance from French Data Protection Authority, the CNIL, addressing online purchases, direct marketing, contests and sweepstakes and consumer tracking. The report looks at each section, highlighting key points from the guidelines. For example, in its section on online purchases, the report explains that the guidelines “make clear that online merchants must limit their use of bank card numbers and visual cryptograms. Once the transaction is complete, the merchants should not store or reuse the bank details of their customers without the customers’ prior consent.” Separately, a Mondaq report examines the CNIL's guidance for businesses operating in France.
Reform Talks Continue; UK Officials Voice Concerns
InfoSecurity reports on a meeting this week in Brussels with an agenda focused “on reforming EU data protection rules.” Among those expected to attend are Justice Commissioner Viviane Reding and Home Affairs Commissioner Cecilia Malmström, representing the European Commission, and Home Secretary Theresa May and Justice Minister Chris Grayling, representing the UK. The report quotes May’s statement that, “The UK continues to believe that this proposal is far from ready for a general agreement, and that no such agreement can occur until the text as a whole has been approved.” Other UK privacy law stories are also garnering media coverage. CBR reports Shadow Home Secretary Yvette Cooper has "called on police and security services to do more to combat online crime and abuse, whilst still maintaining the public's right to privacy,” and The Telegraph reports on her comments that a Labour Government would consider appointing an “inspector general” with powers to investigate MI5, MI6 and GCHQ.
APPs Take Effect Wednesday
With less than a week now before reforms to Australia’s privacy laws come into effect on 12 March, ZDNet examines what is changing, including that “consumers will be able to request access to their personal information held by an organisation or agent … opt out of receiving direct marketing communications from organisations … and find out if their personal information will be sent overseas,” the report states. The reforms also include new enforcement powers for the privacy commissioner. "The new laws see a greater responsibility put on businesses and Australian Government agencies to be more transparent about how they handle personal information," said Privacy Commissioner Timothy Pilgrim.
Mexico’s Regulator Plans To Issue "Abundance" of Fines
Mexico’s data protection authority (IFAI) has issued a statement announcing it will issue “an abundance of fines in 2014 following an unprecedented increase in violations of Mexico’s Federal Law on the Protection of Personal Data in the Possession of Private Parties,” Reed Smith’s Cynthia O’Donoghue writes in this Mondaq report. The IFAI has the authority to issue fines for such violations of up to $1.5 million and up to three years imprisonment for data controllers whose databases are breached under their control, with double penalties for "sensitive data."