Brazil Internet Bill of Rights Becomes Law
Brazilian President Dilma Rousseff has signed the country’s Internet “Bill of Rights” into law, CNET reports. The bill, also called the Marco Civil, or Constitution for the Internet, aims to “safeguard online privacy and pave the way to complete net neutrality,” the report states. While the bill has been in the process of passing for years, revelations on invasions of privacy via the U.S. National Security agency spurred government action. Whistleblower Edward Snowden sent an open letter to the people of Brazil last December alleging the NSA tracks residents. World Wide Web creator Tim Berners-Lee said the law could lead to similar legislative action worldwide.
California Senate Panel Approves Online Privacy Bill
Law360 reports that a California Senate panel passed a bill to limit how commercial websites can handle consumers’ personal information. The bill would require data brokers to allow California residents to opt out of the sale and public posting of their personal data, the report states. (Registration may be required to access this story.)
California Vehicle Data Bill Stalls in Committee
A bill requiring car makers to open up access to data transmitted by computerized cars has stalled in committee, reports The Sacramento Bee. The bill’s backers say it would give consumers more control over the data, allowing them to share it with whom they choose, but automakers have claimed it’s an attempt by insurance companies to get access to this data. Still others say the bill would be very costly for automakers and raises questions about compromising data privacy and security, among others. Interestingly, seven of the 11 lawmakers abstained from voting, ending in a 3-1 vote—three short of the votes needed for advancement.
California Mayor Wants Surveillance Notification
Compton, CA, Mayor Aja Brown has proposed the Citizen Privacy Protection Policy, which would require law enforcement to notify the public before installing surveillance equipment, reports Los Angeles Times. The proposal was prompted by news that for nine days in 2012, police conducted aerial surveillance of the city. There are currently cameras mounted throughout the city, with plans for approximately 75 more. A sheriff’s department spokeswoman cited the ground cameras as the rationale for not notifying the public of the aerial recording; however, Sgt. Doug Iketani said the surveillance was kept quiet to mitigate complaints.
Connecticut Senate Passes Pharmacy Rewards Program Bill, Addition to Do-Not-Call Registry
The Connecticut Senate has passed a bill requiring pharmacies to notify customers that take part in prescription drug rewards programs about which third parties will have access to their data because of agreeing to the program and what their medical privacy rights are if they waive their HIPAA rights by signing up. The Hartford Courant reports that while SB 208 does not prohibit these programs, Sen. Paul Doyle (D-Wethersfield) says “it's making the consumer aware if they opt in and become a participant, what they can be giving up.” The Senate also unanimously approved a measure to include unsolicited text messages on the state’s do-not-call registry. Both bills will now head to the House.
Florida Senate Passes Amended Breach Notification Law
The Florida Senate has unanimously passed the Information Protection Act of 2014, requiring businesses to notify consumers of a breach within 30 days, reports Law360. SB 1524 also repeals previous breach legislation and contains a provision stating that for breaches of more than 500 individuals, organizations must also notify the attorney general’s office. “While Florida is one of 47 states that currently have state security breach notification laws, the replacement legislation modernizes and updates the statute and expands the statute to include state governmental entities and their instrumentalities, according to a representative with the attorney general's office,” the report states. (Registration may be required to access this story.)
Michigan Senate Passes Gun-Owner Privacy Bills
The Michigan Senate has passed three bills that would make gun-owner records confidential and therefore not subject to Freedom of Information Act requests, reports WILX 10 . The records would be available only to law enforcement and only under certain conditions. Violations could result in a fine of $550, the report states. The bills now head to the House.
Minnesota Committee Aims To Stop Public Employees’ Snooping
Due in part to an incident involving a Department of Natural Resources employee improperly accessing driver's license data, a House-Senate committee is struggling to create a bill aimed at halting the snooping of public workers, the Associated Press reports. The group has discussed options such as publicly naming snoopers, informing the targets of the snooping that their data was inappropriately accessed and creating reliable means of tracking access. The group has yet to come up with legislation to propose.
Minnesota Senate Passes Indefinite Newborn Data Retention Bill
The Minnesota Senate has passed a bill allowing the State Department of Health to retain newborn bloodspot data indefinitely, restoring a policy that was overturned in a state court, reports GenomeWeb Daily News. While the bill requires more education for parents about the screening and allows parents to opt out of the program, it would allow the state to use the data for research and to develop new tests. Individuals would also be able to opt out of the program upon their 18th birthday. In a written statement, the Citizen's Council for Health Freedom expressed its disapproval, saying the Senate “just voted to repeal genetic privacy rights at birth."
NH House Approves Mobile Privacy Bills
The New Hampshire House has approved two anti-surveillance bills aimed at protecting individuals’ mobile devices, reports Offnow.org. HB 1619 prohibits government agencies from obtaining or accepting personal information from “third-party providers of information and services” without first getting a warrant. HB 1533 bans the use of information obtained from a “portable electronic device” in “a criminal, civil, administrative or other proceeding.” A committee will tackle a third bill targeting the collection of location information next month. As a group, the bills aim to thwart government surveillance.
Drone Bill Proposed in Rhode Island, Nixed in NH
RI Rep. Teresa Tanzi (D-District 34) has proposed HB 7170 to regulate government use of drones in the state, and while most believe there is an appropriate use for drone surveillance, privacy advocates and authorities differ on where to draw the line, reports WPRI. RI State Police Col. Steven O’Donnell says as written, the bill would limit first responders’ ability to do their jobs. In New Hampshire, HB 1620, which aimed to restrict commercial drone use, has been sent to interim study by the Senate, “a polite way to kill bills in the second year of a legislative session,” according to Government Technology. While the bill’s sponsor, Rep. Neal Kurk (R-Weare) believes the bill strikes the right balance, opponents say it is too restrictive, placing limits on drones that do not exist for small helicopters and planes.
The FTC's Common Law of Privacy
Columbia Law Review has published the “The FTC and the New Common Law of Privacy,” co-written by Profs. Daniel J. Solove and Woodrow Hartzog. They note the Federal Trade Commission (FTC) has been enforcing companies’ privacy policies through its Section 5 authority since the late 1990s, resulting in a body of FTC jurisprudence that “is functionally equivalent to a body of common law…” In their paper, Solove and Hartzog “explore how and why the FTC, and not contract law, came to dominate the enforcement of privacy policies” while contending the FTC’s jurisprudence has effectively “codified certain norms and best practices and has developed some baseline privacy protections.” They argue standards now resemble rules and this “common law” is the foundation for “a robust privacy regulatory regime.” Editor’s Note: Woodrow Hartzog will be an instructor, focusing on privacy and the FTC, at this year’s IAPP Information Privacy Summer Institute. Find the IAPP’s burgeoning FTC Casebook here.
Justice Dept. Fights Judge Over Bulk E-mail Collection Rulings
Lawyers from the Justice Department are appealing to a higher court after Magistrate Judge John Facciola’s denial of the department’s application to search and seize several months’ worth of a suspect's e-mails, reports The Wall Street Journal. Facciola has twice denied the application saying the first step of the government’s two-step process, in which the government obtains all e-mails and information tied to the account from a third party, puts too much personal information in their hands. Facciola believes the third party, in this case Apple, can sift through the data prior to giving it to the government, but the Justice Department objects to giving investigative responsibility to a service provider. (Registration may be required to access this story.)
Illinois To Write a New Consent Law, But What About Other Two-Party States?
It’s a good thing producers of The Good Wife aired their episode “A Few Words” when they did, or one of the best lines—for privacy litigators, at least—would’ve been moot. In this Privacy Tracker post, InfoLawGroup’s Tanya Forsheit, CIPP/US, breaks down the People v. Clark decision deeming Illinois’ two-party consent law unconstitutional and why most other two-party state laws won’t be affected—most notably California’s. “California’s two-party consent law does not suffer from the defect that doomed Illinois’s two-party consent law in Clark,” writes Forsheit, noting, however, “it remains to be seen, in California and elsewhere, what happens in close cases where it is far less clear whether all the parties have a reasonable expectation of privacy in the conversation.”
Ohlhausen on the Challenges of Creating Policy for Big Data
Federal Trade Commissioner Maureen Ohlhausen spoke at last week’s “Privacy Principles in the Era of Massive Data” at Georgetown Law, highlighting a need for more guidance for industry, but also noting that she hasn’t “seen anything that suggests that big data technology raises fundamentally new data security issues." Ohlhausen also discussed contradictions between the Fair Information Practice Principles and the way Big Data is currently used, and while underscoring the need for diligence in the FTC, cautioned against “preemptive action that could preclude entire future industries."
Wyndham and the Future of Cybersecurity Legislation
The FTC v. Wyndham case has been called by some the “most important federal court decision on data security enforcement,” but what does it mean for the possibility of cybersecurity legislation in the U.S.? Andrew Proia, a postdoctoral fellow at Indiana University, outlines some possible outcomes in this Privacy Tracker blog post. “Calls for comprehensive data privacy and security legislation are nothing new,” Proia writes, but with the affirmation of the FTC’s authority under the FTC Act, will passage of such a proposal be more or less likely? It may depend on who you ask. (IAPP member login required.)
FTC Issues Advice on COPPA Compliance; New Tool Aims To Help
The Federal Trade Commission (FTC) has expanded the guidance attached to its children’s online privacy rule (COPPA) to provide schools with information on how to obtain consent to collect students’ personal data, Law360 reports. In its “Complying with COPPA: Frequently Asked Questions” guide, the FTC offers advice on how to enable students to share information using a publicly available online social network, among other topics. Meanwhile, a free cloud-based compliance service, AgeCheq, aims to help mobile app and game publishers to comply with COPPA. “The mobile app industry requires a single, simple-to-use system that manages COPPA compliance for both publishers and parents, and that is exactly what AgeCheq is," said the company’s CEO.
Opinion: The Trouble With the Digital Privacy Act
With the Digital Privacy Act (Bill S-4) in the news, commenters are beginning to make their voices heard in opposition. Tony Drake writes for ITBusiness.Ca in agreement with Michael Geist that the privacy legislation “could mean lots more work for (Ontario Privacy Commissioner Ann) Cavoukian and her federal counterpart,” due to the broad allowances the act makes for investigating agencies to acquire PII without a warrant. Advocacy organization Index on Censorship likens the proposed bill to the U.S. legislation known as CISPA. Further, the Canadian Bar Association’s publication, National, rounds up other concerns generated by the bill, including the chance it will “open the door to copyright trolling in Canada.”
Senators Submit Report on Open Data
Telecompaper reports on a report from French Sens. Gaetan Gorce and Francois Pillet on an open data policy for government information. “After three months and around 40 interviews, the senators concluded that open data represents a risk to citizen 'e-identification.' In the healthcare sector, for example, someone can identify a person in 89 percent of cases using information about hospital name, date of birth and post code, and 100 percent if there have been two hospital visits,” the report states. The report includes about 20 recommendations, including that the government “anonymise, if necessary, all of its databases that have personal information and could be opened publicly.”
Albrecht Talks Technology, Proposed Regulation
This piece in The Irish Times profiles European member of Parliament (MEP) Jan Philipp Albrecht, who was among the first of the MEPs to support the decision to toss out the data retention directive recently. Albrecht credits his youth with helping him understand the implications of certain technologies. At 31 years old, he grew up with the Internet and was among the first wave of lawyers to be trained in the area. “Now, the whole question of how we combine legal issues with technical issues has become so important. There is a need for people who can understand and explain the technology environment in which we live,” Albrecht says, adding he’s confident the new data protection regulation will be passed by 2015.
FOI Request Produces Briefs on Australian Gov’t Plan
The Australian Attorney General’s Office has released ”heavily censored” documents related to the government’s shuttered data retention plans, reports The Sydney Morning Herald. The documents include talking points in the form of “If asked about…” bullet points, background on telecommunications security and indicators of the need for reform.
ACC Calls for Mandatory Data Retention Regime
The Australian Crime Commission (ACC) has appointed a new chief executive and told Internet service providers to up their game on tackling crime, ITWire reports. In its submission to the Senate Standing Committee on Legal and Constitutional Affairs, the ACC called for a two-year mandatory data retention regime to provide law enforcement agencies “the flexibility to tackle the complications posted by emerging technologies,” the report states.
Edwards To Limit Cost of Credit Reports in New Zealand
New Zealand Privacy Commissioner John Edwards has proposed limiting the amount credit reporters can charge individuals for immediate access to their credit information to $10, reports NewstalkZB. The efforts were prompted by a company charging $51.95 for access, which Edwards called unreasonable and a breach of the Credit Reporting Privacy Code, as it is a barrier to individuals’ access rights.