Looking at the federal and state bills being introduced in the U.S., this Privacy Tracker weekly roundup reports on lawmakers’ efforts to get privacy-protecting laws on the books; however, FTC Commissioner Maureen Ohlhausen has called for legislators to look to existing laws, saying “We simply do not need new talk, new laws or new regulations.” Also take a look at new compliance hurdles for organizations in Canada and Australia as new laws are set to roll out in those countries. Also, in the EU, the LIBE has published amendments it would like to see in the Network and Information Security Directive.
Documented Consent Needed To Avoid TCPA Claims
A federal court has denied a motion to dismiss a Telephone Communications Protection Act (TCPA) case, indicating that companies need to have proof of consent in order to avoid TCPA claims, reports Inside Privacy. The case involves a customer offering up her cellphone number in a loan application, which the Federal Communication Commission (FCC) has held as a valid form of prior consent; however, the company did not produce the customer’s actual application but an example of the application the company used at the time. “Were Defendant CheckSmart able to submit Plaintiff's actual loan application showing that she provided these phone numbers, the court would need to evaluate the issue further,” wrote Judge Karon Owen Bowdre. According to the report, this serves as “a reminder that companies should ensure that they collect and retain sufficient documentation of compliance with the TCPA.”
Ohlhausen: We Don’t Need New Laws
Law360 reports that during a Technology Policy Institute event last week, FTC Commissioner Maureen Ohlhausen pushed for government officials to “focus on enforcing the powerful laws we already have,” adding, “We simply do not need new talk, new laws or new regulations.” Ohlhausen voiced her opinion that Big Data doesn’t raise “fundamentally new issues,” and before assuming new rules are needed, officials should consider whether existing law will address problems that arise from new technologies. (Registration may be required to access this story.)
House Passes Two ACA Security, Transparency Bills
On January 10, the House of Representatives passed the Health Exchange Security and Transparency Act that would require the Department of Health and Human Services to notify individuals within 48 hours of a health exchange breach, reports HealthIT Security. While House Republicans say it’s important for patients to know of breaches quickly, President Barack Obama has said it would mean “unrealistic and costly paperwork requirements,” noting that it does nothing to improve perceived security flaws in the exchanges. The bill is expected to fail in the Senate.
On January 16, it passed the Exchange Information Disclosure Act, which, among other provisions, would mean Congress would receive weekly reports on technical problems with healthcare.gov, “including those related to consumer privacy and data security,” reports GovInfo Security.
20 Bills To Watch This Year
Inside Privacy offers up a list of pending legislation that privacy professionals should keep an eye on this year. Included in the list are the Personal Data Privacy and Security Act of 2014, the Electronic Communications Privacy Act Amendments Act of 2013 and the Drone Aircraft Privacy and Transparency Act of 2013 in the Senate and in the House, the Do Not Track Kids Act, the Cyber Privacy Fortification Act of 2013 and the GPS Act.
CA Rep. Introduces NSA Collection Restructuring Bill
Rep. Adam Schiff (D-CA) has introduced a proposal that would eliminate call records from the types of information the government can collect under the USA PATRIOT Act, according to a press release. Instead, approval from the Foreign Intelligence Surveillance Court would be required to access call records on a case-by-case basis. The bill “mirrors the restructuring of the telephone metadata program recommended by the President’s Review Group on Intelligence and Communications Technologies, as well as changes that Congressman Schiff has been advocating for since before the metadata program was made public,” the release states.
CA Bill Would Prohibit Selling of License-Plate Camera Data
Sen. Jerry Hill (D-San Mateo) has introduced SB 893, which would prevent police from selling data from license-plate reading cameras to privacy parties, while still allowing them to use the data in investigations, reports The Almanac. The bill would also require police to obtain a warrant to access license-plate data more than five years old and allow victims to sue and recover damages.
Florida To Reconsider Prescription Drug Database
State Senator Aaron Bean (R-District 4) is drafting a bill that would restrict access to the state’s prescription drug database. The Florida Department of Health last year gave defense attorneys the prescription histories of 3,300 people, reports WOKV. Bean claims this was outside the scope, and the incident inspired him to write legislation to address it.
Maine Considering Social Media Bill
LD 1194, sponsored by Rep. Michael McClellan (R-Raymond), would prohibit employers or educational institutions from requiring a student, employee or prospective employee to provide access to social media or personal e-mail accounts. Kennebec Journal reports that opponents of the bill say it could make it harder for school officials to address cyberbullying; however, an ACLU of Maine representative said provisions in the bill allow for schools to access an account after contacting a parent in specific circumstances. The Judiciary Committee is scheduled to consider the bill on Tuesday.
Maryland To Consider Anti-Surveillance Package
A bipartisan group of lawmakers in Maryland introduced on Tuesday a package of bills that would require state and local police to get a warrant before intercepting e-mail communications or tracking individuals using drones, mobile phones or license-plate readers, reports The Washington Post. “The technology has gotten way out in front of the law,” said Sen. Jaime Raskin (D-Montgomery).
South Carolina Considers Digital Privacy Legislation
Members of the South Carolina House say they plan to pass a digital privacy law this year that would give similar protections to mobile phones as afforded to homes, reports heraldonline.com. House Speaker Bobby Harrell (R-Charleston) says since the 2012 breach at the Department of Revenue, the issue of protecting citizens’ data has gained momentum, noting, “In today’s society, privacy is becoming a harder and harder thing to protect.” A state law enforcement spokeswoman said officers have concerns that a digital privacy law would “affect our ability to get violent offenders off the streets.”
NH Reps. Introduce State Drone Privacy Bill
After a failed attempt to pass a drone privacy bill last year, New Hampshire Reps. Neal Kurk (R-District 2) and Joe Duarte (R-District 2) have introduced bills requiring police to get a warrant in order to use information obtained through drone use in court, reports the Associated Press. In an effort to thwart concerns voiced last year, Kurk’s bill includes a provision stating that it would only take effect if allowed under federal law.
Washington Sen. Calls for Student Data Study
Rep. Elizabeth Scott (D-Monroe) has sponsored a bill calling for a study into how much student data is being released without consent, reports KUOW. The bill aims to help the legislature decide whether it should change data handling practices. Scott says she’s concerned about changes to the Family Educational Rights and Privacy Act that allow personally identifiable data to be shared with companies, adding that the growth of programs like the Common Core State Standards will increase the amount of data collected. The House Education Committee is scheduled to discuss the bill on Wednesday.
Kenyan Official To Get Access to Mobile Network User Info
The Kenya Information and Communication Amendment Act 2013 is expected to be signed into law this week and would mean the Communications Commission of Kenya (CCK) would have unlimited access to mobile network consumers’ confidential information, reports ITWeb Africa. There are questions surrounding the constitutionality of the act, however. While one article guarantees citizens a right to privacy, another—used to justify the regulation—allows any citizen access to “information held by the state or any information that is held by another person and that is required for the exercise or protection of any right or fundamental freedom,” the report states.
Lawmakers To Introduce Bill on Driver Privacy
The New York Times reports on privacy concerns based on increasingly sophisticated technology systems in cars. While automakers say they are responding to consumer demand, privacy advocates disagree. Sens. John Hoeven (R-ND) and Amy Klobuchar (D-MN) will soon introduce a bill that would put car owners in control of the data collected on the vehicle event data recorders commonly known as black boxes. “We’ve got real privacy concerns on the part of the public,” Hoeven said. “People are very concerned about their personal privacy, especially as technology continues to advance.” (Registration may be required to access this story.)
Court Denies Suit Alleging Data Broker's Liability
The U.S. Supreme Court has denied a New York man’s request to hold a data broker liable for illegally selling data taken from Department of Motor Vehicles records, Law360 reports. The records were sold to a stranger who allegedly tracked down Erik Gordon and harassed him. The court “refused to grant certiorari” to Gordon’s challenge to a Second Circuit ruling, which rejected his efforts to sue Softech International for the alleged privacy breach. (Registration may be required to access this story.)
TeleCheck To Pay $3.5M for FCRA Violations
The Federal Trade Commission (FTC) announced yesterday that TeleCheck Services, a check authorization service company, along with its associated debt-collection entity, TRS Recovery Services, has agreed to pay $3.5 million as part of a settlement. The FTC charged the firm with violating the Fair Credit Reporting Act (FCRA) by not following proper dispute procedures and sometimes not investigating disputes at all when consumers had their checks denied by retailers based on TeleCheck’s information. Further, the FTC claimed TRS did not abide by the “Furnisher Rule,” which mandates that those providing credit information ensure that information’s accuracy and integrity. The settlement amount is the second-largest for a FCRA violation.
Google Privacy Lawsuit Revised, Says Execs Made "Conscious Decision"
Bloomberg reports on a revised privacy lawsuit against Google. The suit alleges the company comingled data across its services and products—in a Google project called Emerald Sea. U.S. Magistrate Judge Paul Grewal ruled in December that the plaintiffs failed to demonstrate harm caused by Google’s actions, and for the case to proceed, the plaintiffs must show how the comingling of data deprived them of the “economic value” of their data, the report states. Thursday’s revised complaint alleges Google executives in 2010 “made a conscious decision to withhold from the public information pertaining to the Emerald Sea plan, including Google’s intention to violate all existing privacy policies that placed any limitations on Google’s ability to combine information across platforms by doing precisely that once Emerald Sea became a reality.”
Kentucky May Become 47th Breach Notification State
Breach notification bills are beginning to pile up in the U.S. Senate, GovInfoSecurity reports, and lawmakers in Kentucky have introduced data breach notification legislation that, if passed, would make Kentucky the 47th state to enact such legislation. One expert says there currently isn’t support for a bill covering the private sector, but there is for the public sector.
Court Upholds "Reasonable Suspicion" Requirement for Device Searches
The U.S. Supreme Court has upheld a U.S. Circuit Court of Appeals ruling from last year that said officials at U.S. borders must have “reasonable suspicion” of criminal activity in order to run forensic analysis software on travelers’ mobile devices, Wired reports. While agents are allowed to search devices on a whim—just as they would a vehicle—the court upheld the appeals court ruling that using software to “decrypt password-protected files or to locate deleted files” cannot be done without facts pointing to illegal activity, the report states.
CASL: What You Need To Know and When
Shaun Brown of nNovation offers a detailed breakdown of the newly published regulations under Canada’s Anti-Spam Legislation (CASL) in this Privacy Tracker blog post. Implementation of CASL will come in three waves, the first of which, rules that apply to computer programs, is already in force. While many of the regulations mirror those pre-published in the draft released at this time last year, there are some changes, including new exceptions for closed platforms, limited-access accounts where organizations communicate directly with recipients, messages targeted at foreign persons and fundraising by charities and political parties. (IAPP member login required.)
OPC: Google Ads Violated Privacy Law
After an investigation, the Office of the Privacy Commissioner (OPC) has said Google violated a Canadian citizen’s privacy rights when he was targeted with health-related advertisements. After a man searched the Internet for information on sleep apnea, he began receiving advertisements for devices related to the health disorder. In response to the OPC’s order, Google has said it will take steps to stop the privacy-intrusive advertisements. “We are pleased Google is acting to address this problem,” said Interim Privacy Commissioner Chantal Bernier in a press release, adding, “It is inappropriate for this type of information to be used in online behavioral advertising.” Bernier, whose office received support from the U.S. Federal Trade Commission, also said, “We will be contacting various advertising stakeholders in the near future to share these investigation results and remind them of their privacy obligations.”
Is the EU's "Anti-FISA" Clause Practical?
The Snowden revelations have helped reintroduce into the EU’s proposed General Data Protection Regulation a provision that would limit and control personal data transfers to third countries. Often referred to as the “anti-FISA” clause, the provision gives rise to a number of concerns regarding practicality and legality, writes Danish Ministry of Finance Senior Policy Advisor Christian Wiese Svanberg in this installment of Privacy Perspectives. Svanberg notes, “the issues raised by the proposal are numerous,” adding, “does the word ‘judgment’ also cover court orders, subpoenas, letters of request … And what constitutes an ‘international agreement’ for the purposes of the provision?”
LIBE Publishes NIS Directive Draft Amendments
Out-Law.com reports on the Committee on Civil Liberties, Justice and Home Affairs (LIBE) publication of “a list of draft amendments MEPs in the group would like to see made to the European Commission's proposed Network and Information Security (NIS) Directive.” The proposed NIS Directive, first published last year, “aims to ensure that banks, energy companies and other businesses involved in the operation of critical infrastructure maintain sufficiently secure systems,” the report states. MEP Marie-Christine Vergiat has suggested the standard of protection should differ by organisation, while other proposals include recommending the NIS Directive’s implementation be postponed until after the introduction of EU data protection reforms.
Court of Human Rights Supports Finnish Court Decision
The Wall Street Journal reports on a European Court of Human Rights ruling supporting an earlier Finnish court decision to fine author Susan Ruusunen for writing “a tell-all book” in 2007 about then-Prime Minister Matti Vanhanen. “The judgment on Tuesday is the latest example of the Strasbourg-based court having to toe the line between upholding the European Convention on Human Rights articles of freedom of expression and the privacy rights of people, even those in the spotlight,” the report states. Finland’s Supreme Court found against Ruusunen and her publisher back in 2010. (Registration may be required to access this story.)
Australia: Will Entities Use Privacy Act "Get Out of Gaol Free" Cards?
In a series of IT News blogs, Brett Winterford explores “the improbability of Privacy Act compliance,” noting that as the 12 March deadline looms, “Australia’s new Privacy Act will come into effect during a period of tremendous turbulence in the technology sector, owing to a surge in subscriptions to cloud computing services.” Winterford advises organisations that use or plan to use “public cloud computing services that are hosted offshore … consider Australia’s amended Privacy Act in detail.” Winterford also details the Office of the Australian Information Commissioner’s “two ‘get out of gaol’ cards”—commensurate contract and consent—that “corporate Australia will make use of.”
Australian Orgs Should Set Responsible Disclosure Expectations
Highlighting cases where organisations were informed—sometimes by researchers or “white hat” hackers—of vulnerabilities but did not take appropriate action, a ZDNet report quotes Bugcrowd’s Jonathan Cran as saying, “It really comes down to 'don't be a jerk'—on both sides. But that's not legally scalable … Unless the organization defines what they expect with a responsible disclosure or bug bounty policy, the researcher is often left guessing." Cran discusses the importance of organisations becoming “proactive in defining 'reasonable' or 'responsible'—and setting expectations” or researchers are left “to decide what it means for both parties. Often, researchers have a sense of civic responsibility to let the public know what they've found."
If you want to comment on this post, you need to login.