Vehicle “Black Box” Privacy Act Introduced
Senators Amy Klobuchar (D-MN) and John Hoeven (R-ND) have introduced the Driver Privacy Act, which would make any information recorded by vehicle Event Data Recorders (EDRs) the property of the vehicle owner. While 14 states have passed legislation protecting this data, the Senators proposed this bill to protect all U.S. drivers. The bill specifies that EDR data may not be retrieved unless the vehicle owner consents, a court authorizes it or it is needed for emergency response or traffic safety research, among other reasons.
SCOTUS Won't Hear Privacy Lawsuit
The U.S. Supreme Court will not hear a privacy case against a division of Thomson Reuters Corp. on whether it can collect and sell information on drivers provided by state agencies, Reuters reports. “The decision not to hear the matter represented a win for the commercialization of publicly available information, although U.S. law remains mixed on the subject,” the report states. The lawsuit alleged the practice violated the Driver’s Privacy Protection Act. Meanwhile, Bloomberg reports that a lawsuit claiming LinkedIn illegally mined its subscriber e-mail lists has been assigned to U.S. District Judge Lucy H. Koh—the judge who recently ruled the Google wiretapping case could go forward.
What Your Biz Can Learn from Latest FTC Settlement
The Federal Trade Commission (FTC) announced on Tuesday that Aaron’s, Inc., has agreed to settle charges that it enabled computer spying on customers by its franchises. According to an FTC press release, the company is barred from using monitoring technology and must obtain consent before using location-tracking software. FTC Bureau of Consumer Protection Director Jessica Rich said, “Consumers have a right to rent computers free of cybersyping and to know when and how they are being tracked by a company.” In its Business Center Blog, the FTC details what businesses can learn from the settlement.
Sen. Schumer Backs Offline Do-Not-Track
We reported on Monday that the Future of Privacy Forum (FPF), along with nine analytics companies, proposed a retail store Do-Not-Track opt-out code of conduct, and on Tuesday, according to an FPF press release, the group received backing from Sen. Charles Schumer (D-NY). CNET News reports that eight out of the 10 major cellphone tracking companies have agreed to the code of conduct, including Euclid, a company that was questioned earlier this year by Sen. Al Franken (D-MN) about its tracking practices. The code requires stores using MAC address tracking technology to post conspicuous signs notifying consumers of the tracking and to offer a website where customers can opt out of being tracked. Schumer said, “This is a significant step forward in the quest for consumer privacy,” adding, “This agreement shows that technology companies, retailers and consumer advocates can work together in the best interest of the consumer.”
Healthcare Breach Case a Boon for Encryption?
A California appeals court ruled that the Board of Regents at the University of California can't be held accountable for the loss of a hard drive containing the personal health information of more than 16,000 patients. mHealth News reports that the decision hinged on the hard drive being encrypted. Officials could not confirm the data was actually accessed. The report also notes that the case was decided under California’s Confidentiality of Medical Information Act, not HIPAA. Meanwhile, Fierce Health IT reports that the Government Accountability Office is pushing the Centers for Medicare & Medicaid Services to remove Social Security numbers from ID cards, noting that the inclusion "introduces risks to beneficiaries' personal information."
Rep. Johnson to Obama: Use APPS Act To Inform Bill of Rights
A Look at the Work of Sen. Wyden
The Atlantic profiles the work of Sen. Ron Wyden (D-OR) around U.S. surveillance, privacy and civil liberties and how it could lead to surveillance reform. Last month, together with Sens. Mark Udall (D-CO), Richard Blumenthal (D-CT) and Rand Paul (R-KY), Wyden introduced legislation with the intent of curbing some of the National Security Administration’s powers. Wyden is particularly focused on the agency’s use of geolocation. And last week, The Washington Post wrote, “If the public and the media should learn one thing from the revelations from former National Security Agency contractor Edward Snowden, it’s to pay very careful attention to what Sen. Ron Wyden says.”
The EU Data Protection Regulation and Directive
As you’ve probably heard, the LIBE voted on the EU Data Protection Regulation and Directive this past Monday, there have been numerous stories covering what that means and what will happen next, but the most recent news is that the regulation will not be enacted until 2015:
Hold Your Horses: Reg Delayed Until 2015
Despite indications from the European Commission that the EU Data Protection Regulation would be fast-tracked for spring of 2014, EurActiv reports today that the conclusions of the EU summit now call for the regulation to be enacted “by 2015,” which the report quotes French President François Hollande as meaning the beginning of that year. While many observers felt the regulation would certainly pass before the May 2014 elections, following the vote of the LIBE committee earlier this week, there is now speculation that the UK’s opposition to the regulation led to the delay. “A senior EU official told EurActiv on condition of anonymity that (UK Prime Minister David) Cameron had fought hard for the 2015 date and began the summit negotiations arguing that it would be better to have no deadline at all.” The same report notes that France and Germany have teamed to review their espionage relations with the U.S. and that Italy is now concerned the UK was involved in spying on Italian government officials. (Editor's Note: Need to make sense of where the EU regulation stands? We've got a web conference for that. And it's free for IAPP members.)
These next two offer more of a breakdown of the version of the framework that came out of the LIBE committee:
What's Next for the EU Regulation?
“After nearly two years of deliberations, the European Parliament has come out of the legislative closet with its proposed view for a new EU data privacy framework,” writes Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E. “In many respects, the parliament has surprised many of its critics by delivering a draft proposal which is more measured than the European Commission's original text.” In this Privacy Perspectives installment, Ustaran lays out what he believes will happen to the proposed EU regulation and how many of the measures therein “are set to have a very direct impact on the cost of compliance.”
LIBE Adopts Compromise Amendments; Sends Draft To Council
And here we have a couple of stories on what will happen with the Safe Harbor now that the regulation contains a requirement that companies get EU permission before handing over EU data to non-EU governments:
Treacherous Waters: What the World Would Look Like Without Safe Harbor
Following the vote of the LIBE committee in the EU Parliament on the new EU Data Protection Regulation, which would effectively nullify Safe Harbor with its requirements that U.S. companies seek permission before transferring data vulnerable to request for delivery to the U.S. government, it is only responsible for privacy pros to begin envisioning a world without the Safe Harbor agreement that allows data transfer between the world’s two largest trading partners. In this exclusive for Privacy Tracker, IAPP Westin Fellow Kelsey Finch lays out just what Safe Harbor is and what options companies will have for data transfer should it no longer be the law of the land. (IAPP member log-in required.)
Post LIBE Vote, Has the Safe Harbor Been Torpedoed?
In light of the LIBE committee vote in the European Parliament, Christopher Wolf, founder and co-chair of the Future of Privacy Forum, writes, “despite the fact that a Commission-initiated review of the EU-U.S. Safe Harbor is pending, it appears the LIBE Committee effectively has called for the end of the Safe Harbor.” In this Privacy Perspectives installment, Wolf looks at Article 43a of the proposed amended EU regulation—the so-called “anti-FISA clause”—to analyze what it could mean for the Safe Harbor moving forward. Wolf warns against abandoning the Safe Harbor and asks the European Parliament and Commission to “take a deep breath, and … take a dispassionate view of (its) effectiveness” before it’s effectively “blown up.”
And lastly, an opinion piece from our own Omer Tene, is it all for naught?
Opinion: Legislation Can’t Stop the Orbit of Technology
“Like the Catholic Church’s Congregation of the Index of 1616, which outlawed the movement of the Earth around the Sun, so too will the European Parliament restrict transborder data flows by legislative fiat this week,” writes Omer Tene, IAPP VP of Research and Education. “Of course,” he adds, “the flow of data across borders will not cease or even diminish.” In this Privacy Perspectives post, Tene contends that legislation—a slow-moving evolutionary process—will fail to keep up with the faster-moving technological revolution, as it has in the past.
And now, on to other legal developments in the EU:
Parliament To Vote on Suspending SWIFT
On the heels of the Committee on Civil Liberties, Justice and Home Affairs vote for a major overhaul of current EU data protection rules, the European Parliament will now decide whether the EU-U.S. agreement on data transfers under the SWIFT payment network should be suspended. Under SWIFT, the EU provides the U.S. with EU residents’ payment data in order to thwart terrorism. But U.S. NSA revelations have raised concerns about the program. The outcome of a vote today will be nonbinding.
UPDATE: Parliament voted to suspend SWIFT, you can read about that in this Covington & Burling Inside Privacy report.
Expert Examines Intra-EU Difference in Cookie Guidance
An Out-Law.com feature shares advice from Pinsent Masons’ Marc Dautlich on the Article 29 Working Party’s recent guidance on cookies. The guidance “highlights a continuing lack of harmonisation on definitions central to European data protection laws, which are interpreted differently across different EU countries,” the report states. Dautlich notes such differences as varied interpretations of fundamental terms. The way those differences are “enforced by the national data protection authorities remains a key issue for the success, or otherwise, of the EU Data Protection Regulation, one of the key aims of which is better harmonisation across Europe,” the report states.
France Backs Fines for Sharing with U.S. Gov't
France is backing EU proposals to fine companies sharing information with American intelligence services up to five percent of global revenue, The Telegraph reports. The UK is prepared to clash with France on the fines—estimated to potentially cost UK businesses £360 million per year. France has also tabled a proposal for an international data transfer levy, the report states. “Core European values, namely the respect of fundamental rights, including the right to privacy and security, also matter just as much online as offline. Recent disclosures concerning surveillance activities have cast a shadow in EU citizens trust,” said European Commission President José Manuel Barroso.
CNIL Releases New Notification Procedure
The Commission Nationale De L'informatique et Des Libertés (CNIL) has released a new mandatory online notification procedure for electronic communications service providers “to rapidly report data breaches to CNIL in compliance with new EC Regulation (No.611/2013),” Mondaq reports. Data breaches must be reported to the CNIL using a standardized online notification form and “must include all details set out in Annex I of the regulation and be made no later than 24 hours after the detection of the breach,” the report states, noting, “Where full details cannot be provided, organisations must make an initial notification with additional information provided no later than three days after the date of the breach.”
Expert Examines Changes to Australian Privacy Principles
In a feature for Lexology, Addisons’ Cate Sendall examines the changes to Australia’s privacy law due to come into effect in March. The Australian Privacy Principles (APPs) “will combine and replace the National Privacy Principles and the Information Privacy Principles contained in the Privacy Act 1988,” Sendall writes, noting the APPs will apply to all direct-selling organisations with an annual turnover of $3 million or more. By 12 March, such organisations will be required to adhere to multiple APPs requirements, including not using or disclosing “any information they may hold about an individual for direct marketing, subject to specific exceptions.” The amendments also provide the privacy commissioner with additional enforcement powers. (Registration may be required to access this story.)
New Ecuadorian Penal Code Could Breach Internet Privacy
Recently passed legislation in Ecuador, the Código Orgánico Integral Penal (the Organic Penal Code), is raising concerns from various civil society organizations that it could threaten “the inviolability, storage and subsequent analysis of information that citizens generate on the Internet and on any other telecommunications platforms like landline or cellular telephones,” Global Voices Online reports. According to some organizations raising concerns, the legislation would require all telecommunications companies to store all data traffic of its users, the report states.