While privacy advocates in the U.S. are looking at the White House Big Data reports as potentially uplifting to legislative efforts at protecting privacy, Canadian advocates are warning against a pair of proposed bills that one author calls “frightening.” Also in this Privacy Tracker weekly legislative roundup is information on a European Court of Justice decision to limit the sharing of drivers’ data between member states and the quiet-but-steady implementation of the EU Cookie Directive. Plus, in the U.S., hear about the latest FTC settlement, a derivative lawsuit stemming from the Wyndham decision and concerns about the Supreme Court’s ability to understand technology.
Advocates Hope Big Data Report May Boost Legislative Efforts
Privacy advocates are hopeful that the White House’s Big Data report will spur movement on some of the numerous privacy bills in both houses, reports The Hill. With bills addressing surveillance, breach response and the updating of the Electronic Communications Privacy Act gaining support, some have stalled out at various stages. Sen. Patrick Leahy (D-VT) told The Hill he hopes the report will get the ball rolling again, but Rep. Zoe Lofgren (D-CA) noted, “My Republican colleagues are not big fans of the president,” adding she hopes “they will not discount” the report. Editor’s Note: You can find a synopsis of the Big Data reports by the IAPP’s Angelique Carson, CIPP/US, here.
U.S. Bill Would Streamline Financial Privacy Notices
Sens. Sherrod Brown (D-OH) and Jerry Moran (R-KS) have revived their efforts toward The Privacy Notice Modernization Act, which would mean some financial institutions don’t have to send yearly privacy notices to customers, reports Credit Union Times. Under the bill, financial institutions that haven’t changed their privacy policies and don’t publicly share customer information would be exempt from the Gramm-Leach-Bliley Act’s requirement that financial organizations send yearly notifications to customers. The renewed push comes just days after the CFPB’s proposal to allow financial institutions, in some circumstances, to post notices online as opposed to mailing them.
California Consumer Privacy Bills Struggle In the Face of Business
California legislators have seen multiple bills to protect consumer privacy, and while some of the more notable have failed due to opposition from business groups, Richard Holober, executive director of the Consumer Federation of California, says “We are winning small, bite-size kinds of fights.” The Associated Press reports that industry opposition has led to the demise of AB 1710, which would have set new standards for businesses that hold customer data, and SB 994, proposed by Sen. Bill Monning (D-Carmel), to protect data produced by connected cars, the report states. Holober notes that “when it's about the core profit motive of high tech companies, wins will only really occur when there's a voter revolt," while Monning wondered whether people are "voting in the best interest of constituents or in reaction to the massive power of industry?"
NY Court: Teacher Pension Data Is Public
The New York Court of Appeals has ruled that teacher pensions should be made public under the state’s Freedom of Information Law, reports the New York Daily Record. While teachers’ home addresses and names and addresses of survivors of deceased retirees are to be kept private, names and benefits of teachers are to be released. The ruling bucks a 1983 decision to protect this information.
Opinion: C-13 and S-4 Redefine Privacy in Canada for the Worse
This op-ed in the Digital Journal by George Arthur follows the lead of Michael Geist’s recent blog post underscoring the main points of two privacy laws being considered by the Canadian Senate, S-4, and House of Commons, C-13. Taken together the bills “are frightening,” says Arthur, noting, “By allowing corporations to share private customer data amongst each other, the Harper government is basically promoting the idea that big business can act as deputies to (law enforcement agencies).” Arthur points to the public outrage over C-30, calling on citizens to similarly rally against these bills.
EU Court of Justice Nixes Driver Data-Sharing Law
The European Court of Justice (ECJ) as determined a law requiring member states to share data on drivers with traffic offences goes beyond the EU’s competence. European Voice reports that under the directive, member states could access vehicle registration data on residents of other member states in order to obtain information on drivers who committed certain traffic offenses. The ECJ found that this data sharing does not concern “prevention of crime” as defined under the police cooperation rules, so the law was adopted on the wrong legal basis, the report states.
The FTC's COPPA Guidance Examined
In April, with little fanfare, the Federal Trade Commission (FTC) updated its guidance on COPPA and schools. In a year when privacy concerns are blamed for the collapse of multimillion dollar, multistate educational technology venture inBloom, best practices for online student privacy are particularly timely. Although the FTC’s “Complying with COPPA: Frequently Asked Questions” page represents staff opinions and seeks merely to clarify existing standards, it gives educators, tech vendors and website and app designers a valuable new tool to help them “make the grade.” IAPP Westin Research Fellow Kelsey Finch examines the guidance and provides additional resources in this exclusive for The Privacy Advisor.
States Shifting To Require Warrants for Drug Database Searches
In the U.S., police have for years had very little trouble gaining access to the prescription drug records of individuals suspected of committing crimes. But that’s now changing, The Wall Street Journal reports, as some courts and legislators are starting to restrict such data based on privacy concerns. While law enforcement argues easy access to databases of controlled substance prescriptions is crucial to thwart illegal prescription drug transactions, privacy advocates say warrantless searches of such databases violate privacy, and a U.S. court in Oregon recently agreed—ruling federal agents need a warrant to search the state’s prescription drug database. Florida and Pennsylvania are considering similar moves, and in Vermont, the database is off limits. (Registration may be required to access this story.)
House Committee Passes Surveillance Bill; Apple Offers Gov't Access Report
The House Judiciary Committee voted unanimously to pass a measure limiting National Security Agency (NSA) access to Americans’ phone records, reports The Washington Post. The bill prohibits “dragnet surveillance,” requires the NSA to get permission from the Foreign Intelligence Surveillance Court on a case-by-case basis and allows service providers to publicize more information about government requests. Meanwhile, Apple has published guidelines clarifying how it handles requests for customer data from government and law enforcement, reports The New York Times. The report gives insight into the company’s ability to provide data; for example, Apple says it can hand over photos, documents and data stored on iCloud, but if a user deletes that information from iCloud, it is cleared from Apple’s servers. (Registration may be required to access this story.)
Ohlhausen "Somewhat Optimistic" on Breach Bill; IBM Unveils Breach Services
Speaking on the day that Target’s CEO resigned after fallout from a massive data breach, Federal Trade Commissioner Maureen Ohlhausen said she’s “somewhat optimistic” about Congress passing a federal data breach bill, The Hill reports. “I have found on a bipartisan basis there has been an interest in better data security guidance and having legislation in that regard,” she said. Meanwhile, IBM has increased its presence in the computer and information security business by unveiling a set of services designed to protect against cyber-attacks and investigate breaches. The Threat Protection System and Critical Data Protection are, according to Re/code, enhancements to existing services: The former aims to block sophisticated attacks, while the latter aims to locate a business’s most valuable data to better protect it.
FAA Weighs In on Complexities of Regulating Drones
Federal Aviation Administration Administrator Michael Huerta spoke to NPR's Robert Siegel about the challenges involved in regulating the use of drones, noting airspace safety is of utmost concern, but privacy concerns also hold weight in the process. In responding to Siegel’s question as to property owners’ rights in relation to drones, Huerta said, “What is clear is that you have a right to be concerned about: Is an unmanned aircraft over your property infringing … your right to privacy? And I think that we as a government need to figure out, is there something unique about this technology that would cause us to treat it differently than the constitutional protections you already have?”
With CFPB Referral, Is OBA Self-Regulation Growing Teeth?
In a first-of-its-kind move, the Online Interest-Based Advertising Accountability Program has referred SunTrust Bank to the Consumer Financial Protection Bureau (CFPB) for refusing to participate in the advertising industry’s self-regulatory process. The accountability program had sent a letter to SunTrust inquiring about how it was using third parties to collect users’ web-browsing habits for use in interest-based advertising. According to a Council of Better Business Bureau press release, the accountability program observed “what appeared to be third parties known to be engaged in collecting consumers’ web browsing activity in order to serve them interest-based ads.” Additionally, the program inquiry sought the bank’s help in determining whether consumers received real-time notice of the online behavioral advertising activities. In this exclusive for The Privacy Advisor, Jedidiah Bracy, CIPP/US, CIPP/E, looks into the move.
Judge: FTC Must Disclose Enforcement Action Criteria
The Federal Trade Commission’s (FTC) chief administrative law judge, Michael Chappell, has ruled the agency can be compelled to disclose the details of the data security standards it uses to pursue enforcement actions against companies that suffer data breaches, Computerworld reports. Chappell ruled Thursday in response to a motion filed by now-defunct medical laboratory LabMD, which accused the FTC of holding it to data security standards that don’t officially exist, that LabMD may not inquire about the FTC’s legal standards or rationale but has the right to know the standards it’s expected to comply with. “The decision is a victory for the many groups that are opposed to the FTC’s pursuit of companies that have suffered data breaches in recent years,” the report states.
Indiana Database Plan Raises Concerns
A law calling for the Indiana Network of Knowledge (INK) to track students from elementary school through college and into the workforce is raising privacy concerns, the Associated Press reports. “The database will link information from the Department of Education, Commission for Higher Education and the Department of Workforce Development,” the report states, noting, “State officials say great care will be taken to remove student names and other identifying information. INK will develop a data security and safeguarding plan, as well as procedures for protecting the data in case of a breach.” However, parents and privacy experts are concerned, with one advocate suggesting, “It really is one of those Pandora’s boxes.” Editor’s Note: IAPP VP of Research Omer Tene wrote about the demise of inBloom in a recent Privacy Perspectives post.
What If There Was a Law for Every Device
In the sectoral framework of U.S. privacy law, legislators provide statutory protections for different kinds of data—financial data, health data, etc. Hogan Lovells’ Privacy Team takes a look forward in this Privacy Tracker post, wondering, in light of recent attempts to regulate connected cars and drones, what’s next? “Are refrigerator privacy laws on their way? What about televisions, thermostats, robots and toilets?” While current proposals for tech- or service-specific legislation may seem reasonable, the authors say lawmakers need to take into account whether these bills will “be able to adapt to evolving technologies and consumer preferences and should also consider the degree to which such legislation can create conflicting or unclear obligations as the connected world evolves.”
The Big Data Reports: Good for Privacy Pros—Anyone Else?
Privacy pros are largely lauding the White House’s recent report, “A Technological Perspective,” which delivers “recommendations on how we can embrace Big Data technologies while at the same time protecting fundamental values like privacy, fairness and self-determination.” But some are skeptical about it ever being more than a PDF spouting off some pretty good intentions. Concurrently, the President’s Council of Advisors for Science & Technology issued a report as part of an initiative begun in January that aims to “accelerate the development and commercialization of technologies.” Angelique Carson, CIPP/US, reports on all the details for The Privacy Advisor.
Assessing the Supreme Court's Technology Gap
Ars Technica reports on the difficulties U.S. Supreme Court justices—by their own admission—have in understanding technology in a slew of recent high-profile cases. Justice Elena Kagan has acknowledged that the court has not yet “gotten to e-mail” and instead the justices communicate through printed paper memos. Just last week the justices heard arguments in two cases involving warrantless access by law enforcement of suspects’ cellphones, and two justices have indicated they expect to consider the constitutionality of National Security Agency surveillance. The Electronic Frontier Foundation’s Parker Higgins said, “It is essential that the court understands how people use technology, especially in areas where they’re trying to elaborate a standard of what expectations are ‘reasonable.’” Trevor Timm writes for The Guardian, that this “lack of tech savvy on the bench” is only going to become more of a problem in the future. Editor’s Note: For more on this topic, see the Privacy Perspectives post “The Supreme Court Is Scared of Technology. This Is How Privacy Pros Can Help” by Jedidiah Bracy, CIPP/US, CIPP/E.
Shareholder Sues Wyndham, Board Members for Poor Data Security
Shareholder Dennis Palkon has filed a lawsuit against Wyndham Worldwide Corporation (WWC) and its board for failing “to take reasonable steps to maintain their customers’ personal and financial information in a secure manner,” SC Magazine reports. “As a result of WWC’s complete and utter lack of appropriate security measures, thieves were able to steal sensitive personal and financial data from over 619,000 of the company’s customers,” the suit says. Palkon seeks to “remedy defendants’ violations of law, breaches of fiduciary duties and waste of corporate assets that have caused substantial damages to the company.” One expert said “as risk management becomes more of a focus … it’s not just going to be IT folks that get canned” but others “higher up the chain.”
Snapchat Settles With FTC; Was It Enough?
The Federal Trade Commission (FTC) announced Thursday it has settled with ephemeral social networking app Snapchat, claiming the company deceived users into thinking messages were permanently deleted and transmitted users’ locations and collected their address books without notice or consent. FTC Chairwoman Edith Ramirez said, “If a company markets privacy and security as key selling points in pitching its service to customers, it is critical that it keep those promises.” The complaint also alleges Snapchat used poor data security with its “Find Friends” feature. As part of the settlement, Snapchat is required to implement a privacy program and be monitored by an independent privacy professional for the next 20 years. The case, according to the FTC, is part of the Global Privacy Enforcement Network sweep and the Asia-Pacific Privacy Priorities Forum’s Privacy Awareness Week. A column for The New York Times, however, questions whether these types of consent orders “have led to a wholesale shift in how tech companies handle private data.”
Opinion: Proposal To Grant Telecoms Immunity Is "Bad Idea"
In a column for Salon, Andrew Leonard asks, “Why is Barack Obama so intent in ensuring that telecom companies are immune from legal liability from cooperating with government snooping?” The Guardian recently reported the White House asked legislators crafting competing reforms to provide such immunity. For Leonard, this latest move raises two red flags: One of the “competing reforms” calls for government access to phone records without warrants. With warrantless access and legal immunity, “the government would have vastly expanded spying authority,” he writes, while telecoms “would have no incentive to resist government overreach.” Secondly, with Obama’s plan to restrict the NSA’s ability to request bulk data, the NSA will be “able to obtain more information about our activities than currently.” Meanwhile, House Judiciary Chairman Bob Goodlatte (R-VA) has agreed to move one NSA reform bill forward after months of delay.
CASL Regulators to Businesses: The Onus Is on You
The three regulators seated at the speakers’ table didn’t have to say a word about the fever-pitch level of concerns they’re hearing from businesses on Canada’s new anti-spam legislation (CASL): The stuffed-to-the-gills, guess-I’ll-sit-on-the-floor conference room at the IAPP Canada Privacy Symposium spoke for itself. Even so, the regulators opened the session with the words, “It’s been a very aggressive few months.” Angelique Carson, CIPP/US, reports on all the details in this exclusive for The Privacy Advisor.
Clayton Concerned About New Alberta Health Legislation; Denham, Cavoukian Call for Reforms
Information and Privacy Commissioner Jill Clayton is concerned the province’s health legislation reforms “could have a ‘chilling effect’ on her office’s ability to have confidential consultations with Albertans,” Edmonton Journal reports. Spurred by the Medicentres breach involving the loss of an unencrypted laptop containing personal information on 620,000 patients, the amendments would change the ways breaches are reported, including allowing Clayton to share breach information with the health minister. Clayton’s office has indicated the reform “may impact individuals’ willingness to request reviews, make complaints or report privacy concerns if they perceive that ‘any information’ they share with the commissioner may be disclosed to the minister,” the report states. Meanwhile, Ontario Information and Privacy Commissioner Ann Cavoukian and BC Information and Privacy Commissioner Elizabeth Denham write in the National Post, “We call upon governments, associations of chiefs of police and police services boards to work collaboratively with mental-health professionals to entrench the need for discretion in the disclosure of mental-health information, restricting its disclosure only to when absolutely necessary.”
Rankin: Delay Passing Bill C-31
Financial Post reports on the NDP’s calls for the federal government “to delay passing legislation aimed at cooperating with the United States in taxing its citizens living in Canada, saying the law could ‘violate the privacy and constitutional rights’ of those residents and needs to be studied more closely.” The agreement is part of Bill C-31, and Murray Rankin, Opposition critic for national revenue, said Monday sections of C-31 related to the agreement should be removed, calling for the delay of Bill C-31’s passage until the agreement is studied. “FATCA would provide the U.S. government with sensitive personal information, sensitive financial information on approximately one million Canadians,” he said.
Has the EU Cookie Directive's Time Finally Come?
“Two years ago this week, I attended my first IAPP conference and the first-ever Data Protection Intensive,” Eleanor Treharne-Jones, CIPP/E, writes in this post for Privacy Perspectives, detailing a time when “the talk was of nothing but cookies” with enforcement of the EU Cookie Directive in the UK one month away. While cookies are not making news this year, she writes that “at TRUSTe we have seen just as many global companies adopt our comprehensive cookie-management solution in the first quarter of this year as in any other quarter of the last two years,” offering reasons why despite “enforcement activity so far amounting to little more than notices from regulators and some limited fines,” companies are increasing investment in this area.
German Court Requires Analytics Opt-Out Notices
The Frankfurt am Main Regional Court issued a ruling earlier this year addressing the use of opt-out notices for web analytics tools, Hunton & Williams’ Privacy and Information Security Law Blog reports, noting, “The court held that website users must be informed clearly about their right to object to the creation of pseudonymised usage profiles.” The information is required when users first visit sites, the report states, and must remain accessible at all times. The case relates to Piwik web analytics software and its “AnonymizeIP” function, the report states, noting it “represents a broader trend in Germany of treating violations of data protection law as breaches of unfair competition law.”
Graham's Brave New World of Privacy Enforcement
The Global Privacy Enforcement Network (GPEN) has announced it is focusing on the collection and use of data in mobile applications for this year’s privacy sweep, to be held between May 12 and 18, and will look at app permissions and how apps disclose why they want data and what they do with it. “It is important that consumers have the information necessary to really understand what they are agreeing to when they install an app on their mobile device,” said Interim Privacy Commissioner of Canada Chantal Bernier. During last week’s IAPP Europe Data Protection Intensive, the UK ICO’s Simon Rice warned app developers to be mindful of their privacy practices. In 2013, GPEN looked into organizations’ transparency when disclosing privacy practices.