While U.S. federal lawmakers struggle to find the right balance on data breach notification, state legislators are offering up bills to protect consumers from tracking through cellphones, smart meters and license plates, and one company is pushing back against Utah’s license-plate privacy law, saying it infringes on First Amendment rights. This Privacy Tracker weekly roundup covers all this and more, including the FTC, G29 and APEC announcement of a cross-border data transfer tool at the IAPP’s Global Privacy Summit last week and the Mexican DPA’s warning of an “abundance” of fines to come.
Senators in Florida and Illinois are proposing bills to limit surveillance and police access to data; the Texas Court of Appeals has expanded cellphone privacy rights, and the Washington State Supreme Court has ruled citizens have the right to privacy in the text messages sent from their mobile devices. Meanwhile, the U.S. government has entered an agreement with Japan allowing the countries to share fingerprints of suspected terrorists to be matched against each other’s databases, and the U.S. Department of Justice is asking the Foreign Intelligence Surveillance Court for longer retention periods for certain data. Read about these developments and more in this week’s Privacy Tracker legislative roundup.
In this Privacy Tracker weekly legislative roundup, read about the prospects of German advocacy groups getting the right to sue businesses, the status of the Philippines’ cybercrime law and proposals in the U.S. pushing for less data collection and more consumer protections. The Utah attorney general has stopped using administrative subpoenas for cellphone and Internet data, saying “writing yourself a note to go after that stuff without any check is too dangerous,” while the Senate looks at a bill that would mean law enforcement needs a judge’s order as well. Also, Orin Kerr has published an article supposing what a communication privacy act might look like if the U.S. scrapped ECPA and started from scratch, and there’s a handy interactive map outlining the status of social media privacy laws throughout the U.S.
Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace.” What did the GAO examine, and, in the short term, how might Congress respond to the GAO’s findings and, when they are published, Senator Rockefeller’s own scheduled report?
Last month, California passed a new amendment to the California Online Privacy Protection Act (CalOPPA) that requires companies that collect personal information from Californians to address how they respond to Do-Not-Track (DNT) signals from browsers in their online privacy policies.According to Stephanie Sharron and Emily Tabatabai, CIPP/US, the legislation “may raise as many questions as it answers,” because due to the lack of consensus from the W3C, “companies are required to disclose how they respond to a browser’s DNT signals, when there is no consensus on what the DNT signal means in the first place.” So what are companies to do? Find out about the options in this Privacy Tracker blog post.
This week’s Privacy Tracker legislative roundup highlights changing privacy laws from the U.S. to Bahrain. Revisions to the U.S. Telephone Consumer Protection Act went into effect last week; the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs will vote today on amendments to the proposed regulation and directive—including one that would see U.S. companies seeking permission from EU officials before complying with government access requests to EU data, and the Bahrain cabinet has preliminarily approved a data protection law. Meanwhile, the UK Information Commissioner’s Office is considering jail time for breaches at the same time as justifying its fining practices.
While U.S. regulators mull over the need for rules surrounding drone use by law enforcement, Montana’s new gun owner healthcare privacy law went into effect and California continues to shape privacy law moving toward a “presumption of harm” in breach cases, but one op-ed claims its “revenge porn” law doesn’t do enough. A Zimbabwean law established a central SIM card database, and Australia’s information commissioner has released a best practice guide for app developers. This weekly roundup offers information on all these issues and more, including what regulators had to say at both the IAPP Privacy Academy and the 35th International Conference of Data Protection and Privacy Commissioners.
Westin Fellow Kelsey Finch analyses U.S. District Judge Lucy Koh’s decision that Google’s practice of intercepting e-mails to and from Gmail users may violate federal and California wiretap laws. Using a “narrow reading” of the federal wiretap law and a “broad reading” of the California law, Koh sent the majority of the case on to trial, “inviting close scrutiny of both … statutes in light of the latest technologies and business practices.” Finch writes, “As the tension between consumer protection and business innovation continues to loom large in the privacy world, decisions that attempt to bridge new technologies and old laws become more and more important.”
U.S. Courts and states have been taking things into their own hands in terms of privacy law these days, and this week is no exception. While recent cases have mainly tackled the Stored Communications Act, this week’s news highlights a court decision upending the way the Telephone Consumer Protection Act has been interpreted. California continues to push forward privacy bills, with the “eraser law” that would allow youths to erase misguided posts, and while industry and regulators clash on the EU data protection law’s timeline, France is pushing the EU to adopt a plan that would see non-EU tech firms regulated and taxed based on where their websites are used.
A U.S. District Court cited the Stored Communications Act as protecting “friend-only” posts on Facebook; one expert questions whether the False Light Tort is still relevant, and Apple’s new fingerprint authentication could bring up interesting questions about invoking the Fifth Amendment when it comes to accessing biometrically protected data and devices. Plus, more on HIPAA, California’s leading role in privacy legislation, breach notification in the EU and Brazil’s struggle to pass a privacy law.