German Court of Justice Clarifies Rules on Credit Scoring, Access
Germany’s Federal Court of Justice has clarified data subjects’ rights of access to their credit scores under the Federal Data Protection Act. Hunton & Williams’ Privacy and Information Security Law Blog reports that “while credit reference agencies must disclose all personal data referred to in the Federal German Data Protection Act,” they do not have to disclose their methods in determining the score.
Montana Allows Review of Post-Suicide Medical Records
In response to the high number of suicides in the state, Montana legislators have passed a measure to allow a team to review the medical records of all suicide victims as of January 1 of this year, reports KRTV. While HB 583 easily passed the House, Rep. Kirk Wagoner (R-Montana City) has concerns about the opt-out nature of the law. The team doesn’t have to ask permission to delve into the medical history of the victims but instead will take into consideration family objections. The Montana Suicide Review Team will look for patterns and make recommendations to lower suicide rates, and Montana's Suicide Prevention Coordinator Karl Rosston says "None of this stuff is going to be isolating or be able to identify a specific case. This will be a comprehensive of all the suicides and patterns of behaviors. We're not going to take one isolated incident and say ‘this is what happens'."
South Dakota House Considering Student Privacy Bill
CA Senate Passes Bill To Protect, Limit Online Data Collection, Retention
The California Senate has passed SB 383, which would limit online retailers “in the amount and type of personal information they could collect” from consumers related to content they purchase and download online. It would also require them to dispose of the data once they don’t need it, reports the Associated Press. Sen. Hanna-Beth Jackson (D-Santa Barbara), the bill’s author, says it would protect consumers from fraud, but online retailers say they need to retain the data in order to spot irregular transactions and allow consumers the convenience of sharing downloaded data between devices, among other reasons.
Nebraska Citizens Voice Privacy Concerns Over Wages Bill
The McCook Area Chamber of Commerce has voiced concerns over a bill recently introduced by Sen. Tanya Cook (I-District 13) that would see Nebraska companies with more than 50 employees posting the salaries of all their employees annually. The McCook Daily Gazette reports that the listings would be made without the identities of the individuals but would list salaries, job title, gender, age and years of service.
Judge: CA’s Two-Party Consent Doesn’t Apply to Out-of-Staters
U.S. District Court Judge Josephine Staton has dismissed Annette Jonczyk v. First National Capital Corporation et al, stating that because Jonczyk is not a California resident, the state’s two-party consent statute, requiring both parties to consent to recording a phone call, does not apply to her. At the crux of the case is that First National is a California company and recorded a call, without consent, to Jonczyk, a Missouri resident, and Missouri is a one-party consent state. Staton noted that the California legislature’s intent is to “protect the right of privacy of the people of this state.” Scott Koller of Information Law Group writes, “applying California law to this case would not further that goal. On the other hand, Missouri specifically limited their privacy protection statute to allow a single party to consent to a recording.”
Maine Committee Quashes Social Media Bill, Opts for Study
The Maine legislature will form a study commission to determine the need for a law barring schools and employers from requiring access to social media and personal e-mail accounts, reports Portland Press Herald. After three committee meetings, a bill that would have banned this practice was voted down in favor of the study commission. While lawmakers generally agreed on the intrusiveness of requiring online account passwords, the report states “several wrestled with passing a bill that business leaders opposed because it could limit screening of job applicants, investigation of harassment disputes or protection of proprietary information.”
West Virginia House Passes Social Media Bill
The West Virginia House has passed legislation that would prohibit employers from requiring access to online accounts of employees or prospective employees, reports The Journal. Del. Stephen Skinner (D-Jefferson) sponsored the bipartisan bill, which he based on similar legislation passed in Maryland. The bill now heads to the Senate.
Indiana House To See Bill Restricting Police Surveillance Techniques
Associated Press reports that the House Committee on Courts and Criminal Procedure voted 6-1 to advance a bill that would limit law enforcement use of drones, GPS tracking and cellphone searches. The bill would require police to obtain a warrant prior to using any of these surveillance methods in most circumstances. Some questioned the need to include GPS tracking in the bill, as police are currently limited to using the technology in investigations and emergency situations, but one representative noted that putting the limits into law may save court battles over evidence in the future.
Missouri Considers Constitutional Protection for Electronics
Sen. Rob Schaaf (R-St. Joseph) has proposed a bill to amend the Missouri Constitution to include “electronic communications and data” in the items protected against illegal search and seizure, reports the Associated Press. During a hearing last week, no one testified against the measure. The report states that if approved by the legislature, the measure goes on the state ballot in November.
California Assembly Passes Drone Bill, Including Data Retention, Use Provisions
The Washington Post reports that the California Assembly passed a bill that would set strict limits on police use of drones and the data obtained from them. AB 1327 requires police to get a warrant prior to using drones for surveillance, except in emergencies, but it also requires them to notify the public when it plans to use drones and to delete all data collected by drones within six months unless the data collection was authorized by a warrant or is evidence. Other public agencies can also use drones but would have to obtain a warrant in order to share that data with the authorities. The Assembly passed the bill with a 59-5 vote, and it now heads to the Senate.
Georgia General Assembly Considers Two Drone Bills
Rep. Harry Geisinger (R-Roswell) has sponsored HB 846, which “would establish specific situations in which it would be legal for drones to capture images and would make it a misdemeanor for anyone to use a drone to capture an image for surveillance,” reports the Associated Press. And Rep. Stephen Allison (R-Blairsville) proposed HB 848, which “would prohibit manned or unmanned aircraft from flying within 100 feet above the surface of a property for surveillance without a search warrant or permission of the property owner.” Hearings are yet to be set on either bill.
Iowa Considering Drone Privacy Bill
Iowa’s House Public Safety Committee discussed a bill that would prohibit law enforcement from using drone surveillance except in certain emergency situations, reports the Associated Press. The committee plans to make changes to the bill before approving it and will meet again to continue the discussion.
Minnesota Bill Would Regulate Police Drone Use
Legislation has been proposed in Minnesota to regulate police use of drones, the Associated Press reports. While Minnesota authorities don’t yet use drones, this bill would require a warrant for drone surveillance except in situations of “imminent” danger.
New Hampshire Bill Would Restrict Police, Public Use of Drones
New Hampshire Rep. Neal Kurk (R-Weare) has proposed HB 1620 to restrict the use of drones by law enforcement and private individuals. This is the second time in two years he has tried to legislate the use of drones in the state, reports the Union Leader. This bill is causing some controversy because it forbids intentional surveillance even in public places, which may infringe on first amendment rights, according to the director of the NH Civil Liberties Union, which, based on those grounds, does not support the bill.
Utah Sen. Introduces Drone Privacy Bill
Utah State Sen. Howard Stephenson (R-Draper) has introduced SB 167, which would prohibit state agencies from using drones without a warrant except in emergency situations or with written consent, reports Deseret News. The bill also puts limits on the retention of data obtained by drones.
Criminal Liability in Breach Legislation Could Be a Recipe for Disaster
With recent high-level data breaches, and the introduction by Sen. Patrick Leahy (D-VT) of the Personal Data Privacy and Security Act of 2014, some are hopeful a federal breach notification statute is on the horizon. There is one issue, however, raised by Leahy’s bill that “deserves considerable debate,” writes Andrew Proia, of Indiana University’s Center for Applied Cybersecurity Research and Maurer School of Law. “In addition to creating the federal breach notification law, Section 102 of Leahy’s bill would open the door to criminal liability for anyone who ‘intentionally and willfully’ conceals the fact of a security breach,” he writes for Privacy Perspectives, adding, “it would be wise for the information privacy and security community to think critically about whether the bill’s criminal statute would be a prudent addition.”
Constitutionality of NSA Surveillance Challenged in Court
A suspect facing terrorism charges has become the first criminal defendant to challenge the constitutionality of the National Security Agency’s bulk surveillance program, The Washington Post reports. A motion was filed in a federal court to suppress any evidence against the defendant gathered from the warrantless government surveillance under the FISA Amendments Act. The defendant “believes that the government’s surveillance of him was unlawful for the simple fact that it was carried out … under a statute that fails to comply with the Fourth Amendment’s most basic requirements,” according to the motion. In a separate case, for the first time in FISA’s 36-year history, a federal judge has allowed a defense lawyer to review classified evidence gathered under the law. (Registration may be required to access this story.)
Google Denied Chance To Immediately Appeal Wiretap Ruling
U.S. District Court Judge Lucy Koh has denied Google’s request to immediately appeal her ruling that the company’s scanning of Gmail messages potentially violates the Electronic Communications Privacy Act, MediaPost News reports. That means the ruling will stand for now. Koh’s ruling could have implications for Internet service providers’ common practices—even seemingly innocuous ones like scanning for viruses. “We desperately need clarity on the legal question,” said one law professor, adding it could be months, years or longer before that arrives.
Will FTC's Recent Safe Harbor Settlements Quench Europe's Thirst for Enforcement?
The Federal Trade Commission (FTC) last week announced it had settled with 12 U.S. companies over charges they let their Safe Harbor certifications lapse but still indicated they were certified. Was the move a response to recent criticism from the EU? The FTC said it was business as usual. But does it at least indicate more enforcement to follow? Will the EU be placated? FTC Commissioner Julie Brill said she does not “believe these settlements were reached because of pressure from the European Commission or anyone else.” But some say the settlements were expected and the “ball was in the FTC's court after the developments in Europe.” The researcher who filed the complaints said he supports all but one of the settlements. This exclusive for The Privacy Advisor zooms in.
Alberta To Update Law
Alberta will “amend one of its main privacy laws this fall to comply with a Supreme Court of Canada judgment that found the legislation unconstitutional,” The Canadian Press reports. The court struck down the province’s entire Personal Information Protection Act in November in a case involving a union that photographed individuals crossing a picket line, giving Alberta a year to revise the law. “It is the government's intention to pass the amendments early in the fall 2014 session to comply with the court's ruling,” Service Alberta’s Gerald Kastendieck said Wednesday. The amendments will “focus on unions and picketing,” the report states, noting, “There won't be a general review of the 10-year-old legislation this year.”
Premier Calls for Changes to Restrictions
Newfoundland and Labrador Premier Tom Marshall is calling for the government to launch an “about-face review of access-to-information restrictions that it has staunchly defended,” The Globe and Mail reports. Bill 29 included changes to the Access to Information and Protection of Privacy Act and was passed in 2012. Critics have described it as “regressive and even dangerous,” the report states. Marshall said, “One of the things I said we were going to do is we’re going to listen to the people of the province. And I think people have real concerns over Bill 29.” Meanwhile, a former inmate at the Ottawa-Carleton Detention Centre who was allegedly attacked by a guard has been denied access to his medical records, Ottawa Citizen reports.
South Korean Commissioner Fines Google Over Street View
South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service, The Korean Herald reports. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae.
2014 Brings the World Cup and Perhaps New Privacy Laws to Brazil
This Privacy Tracker post from the Hogan Lovells privacy team explores the impact two proposed privacy laws would have on organizations that provide digital products and services to Brazilian consumers. The Marco Civil da Internet would establish data protection requirements and preserve net neutrality, and the Data Protection Bill would establish an EU-style framework for the processing of personal data. These laws have been in limbo for the past few years, but will the fallout from U.S. government surveillance practices be the inspiration Brazilian lawmakers need to pass provisions, including some that would restrict cross-border data transfers?