New TCPA Rules in Effect October 16
The Federal Communications Commission’s revisions to the Telephone Consumer Protection Act (TCPA) go into effect today. The revisions require businesses to obtain express written consent before telemarketing and advertising through autodialed calls or text messages to consumer cellphones and prerecorded calls to residential phone lines, according to a Covington & Burling client alert. The revisions eliminate the exemption allowing firms to make prerecorded calls to a residential phone line if a pre-established relationship with the consumer existed. Punishment for violations of the new rules “can reach as high as $1,500 per violation (on a per call basis),” the alert states. In this Privacy Tracker exclusive interview, listen to TCPA expert Yaron Dori, partner at Covington & Burling, talk about what these changes mean for your organization and its practices, and hear advice on how best to comply. (IAPP member login required.)
Are Class-Actions Becoming Too Big To Settle?
The Recorder looks at privacy class-actions through the lens of recent suits against Google over its Street View and Gmail services, questioning whether it’s possible that plaintiffs now have too much leverage. Classes comprising millions of people and statutory damages could mean cases, such as the Street View case, become too expensive to strike a deal, the report states. As U.S. District Court Judge Richard Seeborg said in a recent class-action over Facebook’s sponsored stories, because of the class size, “even a modest per-class member payment could easily require a total settlement fund in the billions of dollars.” The “too-big-to-settle” phenomenon is likely to grow as Internet companies add to their user bases, the report states. (Registration may be required to access this story.)
Does the U.S. Have a De Facto National DPA?
Traditional thinking posits that the U.S. does not have a national data protection authority. “But tell that to Google. Or TJX. Or CBR Sytems. Or any of the dozens of other companies that have been pursued by the U.S. Federal Trade Commission (FTC) over the past several years for alleged data security or privacy violations,” writes Steptoe & Johnson Partner Jason Weinstein. In this installment of Privacy Perspectives, Weinstein writes, “The FTC has made itself America’s de facto data protection authority through aggressive use of Section 5 of the FTC Act,” and, thus far, “the FTC is batting a thousand…” Challenges from Wyndham Hotels and LabMD, however, “symbolize the frustration felt by many companies” that believe they have been victimized once by a breach and then again by the FTC.
Amendment Would Require EU Permission for U.S. Law Access
Lawmakers have introduced an amendment to the Data Protection Regulation being debated in the European Parliament that could require U.S. companies to seek clearance from European officials before complying with U.S. law enforcement requests for data, The New York Times reports. The amendment responds to U.S. NSA revelations and could be decided as soon as Monday, when the Committee on Civil Liberties, Justice and Home Affairs (LIBE) will vote on amendments to the European data protection regulation. A coalition of U.S. consumer, privacy and public interest groups have written to European Parliament expressing support for the proposed regulation. Meanwhile, a European official said the proposed regulation will not modify Safe Harbor, though there has been widespread speculation over Safe Harbor’s future. Wilson Sonsini Goodrich & Rosati’s Christopher Kuner in Brussels told the Daily Dashboard that while Safe Harbor has always been controversial and that controversy has reached a fever pitch following the Snowden revelations, he “doubts very much it will really be suspended. I think what they will push for is to get some improvements … I think it’s more realistic that Safe Harbor will always have some utility.” (Registration may be required to access this story.)
PA House Passes 911 Privacy Bill
Patch.com reports, that the Pennsylvania House has passed HB 1041, providing an exemption to the state’s Right-To-Know law for information that could identify a 911 caller. The bill is sponsored by Joe Hackett (R-Delaware), who noted, “the identity of the caller must be kept confidential to prevent cases of retribution against informants and to ensure the public has a sense of safety and privacy when reporting a crime or other emergency.” The bill now heads to the Senate.
Texas AG Seeks To Stop Dating Service's Database Sale
Texas Attorney General Greg Abbott wants to stop the sale of an online dating service because of concerns about the personal information involved, KFYO reports. True.com filed for bankruptcy protection more than a year ago and is selling its assets, which include a 43-million member database—two million of whom are Texans. “The proper course is for True.com and its bankruptcy trustee to seek the customers’ permission before selling their private information to a third party—and that’s exactly what our legal action asks the bankruptcy court to require before the case proceeds,” Abbott said.
Is DoJ Setting Up New SCOTUS Wiretapping Test?
The New York Times reports that the U.S. Department of Justice is potentially setting up, for the first time, a Supreme Court test of whether it’s constitutional to notify a criminal defendant that evidence against him came from wiretapping. Additionally, the department’s National Security Division is looking through closed cases to find other defendants who faced similar evidence that resulted from a 2008 wiretapping law—which allowed eavesdropping on suspects without a warrant when the communications crossed borders, the report states. Columbia University Law Prof. Daniel Richman said, “It’s of real legal importance that components of the Justice Department disagreed about when they had a duty to tell a defendant that the surveillance program was used … It’s a big deal because one view covers so many more cases than the other, and this is an issue that should have come up repeatedly over the years.” (Registration may be required to access this story.)
And, in case you missed it…
A Model Bill To Put CPOs in State DoEs
Sheila Kaplan, independent education and information policy researcher, student rights advocate and EPIC advisory board member, has written a model bill that would install chief privacy officers in state Departments of Education (DoEs). In this Privacy Tracker blog post, Kaplan outlines the problems she sees with FERPA, the risks of not adequately protecting data held by DoEs and why tackling this problem at the state level makes sense. “Students deserve a true advocate for their rights in a data-driven environment that often places profit and corporate interests above the privacy rights of children and their families. Those who bear responsibility for student records need a reliable resource to help them manage their obligations,” writes Kaplan. (IAPP member login required.)
Two Years Later, LIBE To Vote on Reg
The Guardian reports that after two years of gridlock, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has scheduled votes on the reports on the revised data protection regulation and directive for Monday in Strausburg. An announcement on the European Parliament’s website says, “The committee will adopt a mandate for negotiations with the council in order to try and reach a common agreement on the Data Protection package before the European elections in May 2014.”
Editor’s note: The Privacy Tracker also ran a piece last week on what this vote really means for the future of EU data protection law. You can read it here.
Gov't To Consult on Jail Time for Breaches
The UK government is considering introducing the possibility of jail sentences for breaches of the Data Protection Act (DPA), Out-Law.com reports. Justice Secretary Chris Grayling has written to Home Affairs Committee Chairman Keith Vaz indicating “the public would be asked whether there should be new custodial penalties for breaches of Section 55,” the report states. While the current penalties are fines of different amounts, depending upon the court where the case is heard, Grayling “has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA,” the report states.
ECJ: Protection Against Passport Fraud Outweighs Privacy
The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU's Charter of Fundamental Rights and was in line with EU law,” EUObserver reports. While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports. “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof," the court has said.
ICO: We Do Not Discriminate
Computing reports on the insistence of the Information Commissioner's Office (ICO) that “it does not discriminate between private- and public-sector firms when deciding on data breach fines” and its assertion “nobody has been ‘let off’ fines” since the ICO received the power to levy fines up to 500,000 GBP three years ago. “I think there's certainly no discrepancy on our part, favouritism or thoughts like that in any way,” said the ICO’s Simon Rice. Meanwhile, the ICO has announced it has prosecuted a pay day loan company and its director for “failing to register that the business was processing personal information.” The ICO is also warning organisations, in light of a Royal Veterinary College breach, to ensure their policies “reflect how the modern workforce are using personal devices for work.”
ECHR Anonymous Posting Decision Sparks Concern
The European Court of Human Rights (ECHR) has ruled an Estonian court was correct when it fined Delfi in a case involving anonymous postings on the news website, Wired reports. Joe McNamee, executive director for European Digital Rights, said, "This baffling logic now appears to render it effectively impossible for an online publication to allow comments without positive identification of the end users … So much for the human right to privacy in the Convention. This will directly undermine individuals' rights to free speech and indirectly undermine their right to privacy.” Lawyers in the UK, however, suggest if the original case had been held there, “the outcome would have been very different,” the report states.
Comparing Manitoba's Privacy Law With Alberta's
Mondaq analyzes the recently passed provincial privacy legislation in Manitoba, the Personal Information Protection and Identity Theft Prevention Act (PIPITPA), and how the legislation compares with Alberta’s Personal Information Privacy Act. Specific areas of comparison include breach notification, private right of action for breaches, security requirements and service transfers outside of Canada. “Organizations who already have processes in place to comply with Canada’s existing privacy laws will largely find that PIPITPA does not create new compliance obligations for them,” the report states.
Australian Prof: Privacy Tort Can't Do Everything
The Australian takes another look at the Australian Law Reform Commission (ALRC) inquiry into privacy law, highlighting comments by Prof. Barbara McDonald, the commissioner in charge of the inquiry. “The law cannot do everything--even if we have a statutory tort for invasion of privacy, it is not going to stop people invading privacy any more than a law against murder stops murder," she said. McDonald has been asked to produce a detailed design for a privacy tort but “is also examining alternatives to a privacy tort that could fill the gaps in privacy law without the need for the creation of a new method of litigating,” the report states. Meanwhile, The Age reports on the Australian Internet Governance Forum’s examination of the question of the ALRC’s consideration of whether Australia should introduce its own “right to be forgotten.” (Registration may be required to access this story.)
Hong Kong PCPD Orders Company To Stop Supplying Data
“Something of a furore has been caused in Hong Kong by the decision of the Office of the Privacy Commissioner for Personal Data (PCPD) to issue an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application,” Lexology reports. The PCPD said the app, Do No Evil, “seriously invaded” those individuals’ privacy. Commentators, meanwhile, are accusing “the PCPD of threatening freedom of information, making inconsistent decisions and being technophobic,” the report states. (Registration may be required to access this story.)
Bahrain Cabinet Approves Draft Privacy Law
Gulf Daily News reports that during the cabinet’s weekly session, it gave its initial approval to a draft legislation that “aims to provide legal protection of personal privacy, which is a fundamental constitutional right." According to Minister of State for Information Affairs and official government spokeswoman Sameera Rajab, the bill “includes the protection of digital data,” in order to “enhance public confidence in electronic transactions through the preservation and protection of personal data.”
The cabinet has referred the bill to the ministerial committee for legal affairs and, according to the report, more details about it will available after it is discussed in the National Assembly.