How California Is Shaping Privacy Law
With news that Gov. Jerry Brown has signed into law the first Do-Not-Track (DNT) legislation in the country, it’s clear that California is once again out in front of privacy law here in the U.S. In this Privacy Tracker exclusive, the Hogan Lovells Privacy Team analyzes how California has led the way in the past, where the state is likely to head and what you need to know about the new DNT legislation and the way it’s likely to be implemented.
Montana Gun Owner Healthcare Privacy Law Goes Into Effect
As of October 1, healthcare providers—including psychological practitioners—are no longer allowed to ask patients about gun ownership, possession or use, reports Fairfield Sun Times. HB 459, now Montana law at 50-16-108, M.C.A., aims to address gun owners’ concerns that medical records could be used to collect and centralize information about gun ownership.
DoJ, Oklahoma Rep. Mulling Drone Regulations
A new report from the Office of the Inspector General (OIG) recommends that the Department of Justice look into creating rules for law enforcement’s use of drones. The Verge reports that the OIG’s recommendation follows an audit of drone use by the FBI, Bureau of Alcohol, Tobacco, Firearms and Explosives, Drug Enforcement Administration and U.S. Marshals Service. Meanwhile, Oklahoma Rep. Paul Wesselhoft (R-Moore) is teaming up with the American Civil Liberties Union to come up with privacy laws surrounding the use of drones by the government.
Will Voters Support "Presumption of Harm" in Breach Cases?
In a Mondaq report, Julian D. Perlman of BakerHostetler examines California’s move toward “amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer's express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.” Perlman writes of California Secretary of State Debra Bowen’s approval of the necessary steps to bring the Personal Privacy Protection Act to California voters, noting it “would create presumptions that an individual's personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in,” bringing California closer to the EU’s data collection and sharing approach.
Telemarketing Rules Go Into Effect this Month
Mintz Levin’s Privacy and Security Matters reports that the Federal Communications Commission telemarketing rules go into effect on October 16. The rules require companies to gain express consent before calling consumers with prerecorded messages or “robocalling” wireless numbers, the report states. Consent must be written and include the number and signature of the consumer. While an electronic signature is acceptable, the agreement must also state that consent is not required “as a condition of purchasing any property, goods or services.”
State AG: Federal Breach Law? No Way
Amidst the ongoing U.S. government shutdown, representatives from state AG offices taking part in the literarily titled panel discussion “The Widening Gyre of State AGs” at the IAPP Privacy Academy were asked whether there should be one all-encompassing federal data breach notification law. In this exclusive for The Privacy Advisor, Sam Pfeifle reports on their reactions. As Vermont AG William Sorrell put it, “You’d like to have this organization, the U.S. Congress—upon which, what, eight percent of Americans look favorably—you want us to say, ‘Oh, yes, we’re going to trust that body of public servants to do what’s right for our states’ citizens?’ No way."
Opinion: CA Revenge Porn Law Doesn't Go Far Enough
On Tuesday, Gov. Jerry Brown continued California’s trailblazing in privacy law by signing into law the country’s second “revenge porn” law (New Jersey was first), “levying possible jail time for people who post naked photos of their exes after bitter breakups.” However, writes Emily Bazelton for Slate, the bill doesn’t go far enough. “It makes it a misdemeanor offense to post revenge porn only if a prosecutor shows that the poster intended to inflict emotional distress, rather than treating the act of posting a sexual photo without consent as an objectively harmful invasion of privacy. And the punishment wouldn’t apply if the subject of the photo took the picture herself, which means it wouldn’t help people whose exes persuaded them to hand over photos as a sign of trust.”
One Class-Action Dismissed; Another Dismissal Sought
A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action, Law 360 reports. In the NebuAd-related case, U.S. District Judge Edmond E. Chang has ruled that ISP WideOpen West Finance LLC “faces no liability” under privacy laws. In the Symantec case, the company has asked a California federal judge “to toss a user's amended proposed class-action accusing the software company of concealing a data breach by hackers who stole source code, calling the user's claims vague and deliberately obtuse,” the report states. (Registration may be required to access this story.)
Hulu Seeks Dismissal of VPPA Case
Hulu is seeking dismissal of a lawsuit accusing it of violating the federal Video Privacy Protection Act (VPPA) “on the grounds that the web users who filed suit didn't suffer any injuries,” MediaPost News reports. Hulu is facing a potential class-action for allegedly violating the law “by revealing information about their movie-viewing history to comScore and Facebook,” the report states. But in court papers filed Wednesday, Hulu contends that the law specifies those who are “aggrieved” by violations may seek damages. “Congress could have worded the VPPA to provide monetary relief merely on a showing of an improper disclosure,” Hulu’s motion states. “But it did not do so.”
At Academy, Experts Weigh In on Regulation
The EU draft regulation—something originally proposed nearly two years ago—was the center of attention Wednesday afternoon at one Privacy Academy breakout session featuring a panel that included Ireland Data Protection Commissioner Billy Hawkes, Bird & Bird Partner Ruth Boardman and Promontory Financial Services Group Managing Director Simon McDougall, CIPP/E. This exclusive for The Privacy Advisor examines the perceived rut the regulation is in—with McDougall suggesting it is on step one of 30—and what should be expected with a potential regulation, including predictions it will be more prescriptive around data retention. Meanwhile, reports suggest more than one third of smaller EU firms “are risking prosecution under data retention laws by hoarding data beyond the scope and period required by law.”
"Privacy by Default" Could Be Major Post-Regulation Issue
“Privacy by Design” is as close to privacy dogma as you’re going to get. Regulatory bodies across the globe now provide this idea, developed by Ontario Information and Privacy Commissioner Ann Cavoukian, as guidance for all technology companies that hope to gather personal information. At the 35th International Conference of Data Protection and Privacy Commissioners in Warsaw, however, it was the idea of “privacy by default” that produced one of the most interesting back-and-forths. In this exclusive for The Privacy Advisor, Sam Pfeifle reports on the discussion, which featured Jacob Kohnstamm, Omer Tene and Reijo Aarnio.
Privacy Groups Taking GCHQ To Court
Privacy advocates Big Brother Watch, the Open Rights Group, English PEN and Constanze Kurz have filed a legal challenge claiming GCHG’s “mass online surveillance programmes have breached the privacy of tens of millions of people across the UK and Europe,” The Guardian reports. UK MPs cleared GCHQ of any wrongdoing, and Privacy International has launched a case that will be heard by the Investigatory Powers Tribunal, but Nick Pickles of Big Brother Watch has said, “Parliament did not envisage or intend those laws to permit scooping up details of every communication we send, including content, so it’s absolutely right that GCHQ is held accountable in the courts for its actions.”
Dutch Gov't Wants Input on Cookie Rules Change
The Dutch government has introduced a proposal for a change in cookie rules and is seeking public input, Mondaq reports. The proposed amendment was introduced by the minister of economic affairs in May and is symbolic of the new way the Dutch government looks at cookies. It aims to exempt some cookies from rules in that if browsers allow users to actively configure settings, implicit consent may be an acceptable method, the report states.
OAIC Releases Best Practice Guide for Apps
The Office of the Australian Information Commissioner (OAIC) has unveiled a guide to help mobile app developers embed better privacy practices into their products, TechWorld reports. Mobile Privacy: A Better Practice Guide for Mobile App Developers recommends developers use short privacy notices. Privacy Commissioner Timothy Pilgrim said app developers should adopt a Privacy-by-Design approach. “The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust,” he said. A ZDNet report, however, suggests, “Short of enforcing privacy laws on app store curators, it is doubtful that the developers will implement the otherwise worthy privacy protections.” Meanwhile, the OAIC’s 2013 Community Attitudes to Privacy Survey, which will be released in full on 9 October, indicates six in 10 Australians choose not to use smartphones apps due to privacy concerns.
Gov't Urged To Rewrite Terms of Reference
The federal government has been urged to rewrite the terms of reference for its inquiry into privacy law, The Australian reports. The terms of reference were drawn up by former Attorney-General Mark Dreyfus and require the commission “to produce detailed plans for a privacy tort or statutory cause of action,” the report states. The commission is expected to publish an issues paper next week based on those terms of reference, the report states. In the last six months, it has become clear “the major threat to privacy is the role of the state,” said Media Entertainment and Arts Alliance Secretary Chris Warren, adding that large data aggregators are going to be a key issue moving forward.
Zimbabwe Passes Centralized SIM Card Database
The Statutory Instrument 142 of 2013 on Postal and Telecommunications (Subscriber Registration) Regulations 2013 establishes a central database of information about all mobile telephone users in the country based on powers granted through the Interception of Communications Act. Kubatana reports that the Statutory Instrument requires telecommunications providers to establish a subscriber database of all SIM card holders including phone numbers, names, addresses, genders, nationalities and passport or ID numbers, then regularly submit copies to the government, which will create its own central subscriber information database.