Nigeria and Turkey are both considering government-proposed legislation that would require service providers to turn over to law enforcement customers’ data upon request—with fines, and possible jail time for executives, for noncompliance in Nigeria. In the U.S., senators are addressing breach response and online privacy concerns with bills of their own as the fallout continues from the Target and Neiman Marcus breaches as well as the Snowden revelations. And in Australia, the deadline for the Australian Privacy Principles looms large. The Privacy Tracker’s weekly legislative roundup covers all this and more.
Nigerian Bill Would Increase Authorities’ Access to E-Communications
Nigerian President Goodluck Jonathan has submitted a bill to the National Assembly that would allow security agents to “intercept and record electronic communications between individuals and seize usage data from Internet service providers and mobile networks,” reports AllAfrica. The Interception of Electronic Communications bill states, in circumstances where the “content of any electronic communication is reasonably required for the purposes of a criminal investigation or proceedings, a judge may on the basis of information on oath” order a service provider to turn over, record or retain consumer data or assist authorities in doing so. The penalty for noncompliance is N10million for service providers and for company directors, managers or officers, a three-year jail term, N7 million fine or both, the report states. While some see the law as a help in fighting cybercrime and terrorism, others see it as a “direct assault on some of the most important of our individual freedoms.”
Turkish Internet Bill Would See ISPs Retaining Data for Two Years
The Turkish government has proposed a bill that would give the country’s telecommunications authority the ability to block websites deemed to violate privacy and require Internet providers to retain users’ data for two years to be made available to authorities upon request, reports the Associated Press. Some say the bill will bring censorship in Turkey to new heights and worsen press freedoms, but the government denies the accusations and says it will protect privacy. In this Deutsche Welle interview, Istanbul communications instructor Erkan Saka outlines what effect the law may have on citizens, saying, “The government's access to personal data may be the worst aspect of the law.”
U.S. Sens. Introduce Data Breach, Privacy Rights Legislation
A number of U.S. senators have introduced data security and breach notification legislation following the Target and Neiman Marcus incidents.
Sens. Diane Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR) and Bill Nelson (D-FL) have introduced the Data Security and Breach Notification Act. The bill would require the Federal Trade Commission to release a set of security standards for businesses holding consumer data.
Sens. Richard Blumenthal (D-CT) and Ed Markey (D-MA) introduced the Personal Data Protection and Breach Accountability Act prior to Tuesday’s NTIA hearing. The act aims to deter preventable breaches, minimize consumer harm and promote information-sharing between federal agencies, law enforcement and the private sector, reports Dark Reading.
Sen. Robert Menendez (D-NJ) has announced plans to introduce the Commercial Privacy Bill of Rights. The bill aims to “give consumers the protections they need, create common-sense accountability measures for businesses so our personal information is not held hostage to the power of our technology, place limits on both the type of information businesses may collect and limit how long they can retain that information,” Menendez said in his announcement.
California AG Sues Over Delayed Breach Response
The California Attorney General’s Office (CA AG) has filed a complaint against Kaiser Foundation Health Plan, Inc., saying the company’s data breach and subsequent delayed notification violate the state’s unfair competition law, David Navetta writes for InfoLaw Group. The CA AG alleges that prior to the completion of Kaiser’s analysis of the breach, “it had sufficient information to notify at least some affected individuals,” Navetta writes, adding, “In the eyes of the CA AG, the failure of Kaiser to provide notice on a rolling basis, even if its investigation was not complete, amounted to a failure to provide notice ‘in the most expedient time possible and without unreasonable delay’ under California’s breach notice law.”
California Assemblywoman Proposes Victim Privacy Bill
Assemblywoman Toni Atkins (D-San Diego) has introduced AB 1623, which would ensure that victims of domestic violence are not denied help at family justice centers if they are undocumented immigrants or have a criminal history, reports The San Diego Union-Tribune. The bill would also mean family justice centers would not be allowed to share certain information on victims with law enforcement or other agencies without the victims’ consent.
Kentucky Bill Would Prohibit Selling of Student Data
The Kentucky Senate Education Committee has unanimously approved a bill that would prevent the sale of student data by technology companies, require school districts to post lists of all third-party web-based services they use and provide for agency audits of schools’ data collection practices, reports the Associated Press. Sen. Jimmy Higdon (R-Lebanon) notes that these protections are similar to those used to protect government data in the state, adding, students do not “have a choice when it comes to the online services they use … No company in a position to store private, school data should be able to sell that data for profit."
New Hampshire Considering Student Social Media Bill
A New Hampshire Senate committee held a hearing on Tuesday to consider a bill that would prohibit colleges and universities from asking for access to students’ and prospective students’ social media sites, reports the Associated Press.
NJ Bill Would Require Cos To Contact Consumers Directly After Breach
New Jersey Assemblywoman Linda Stender (D-Union) has introduced legislation to toughen data breach notification standards by removing the ability of companies to use “substitute notice” as a means to notify customers affected by a large data breach, among other provisions. Law360 reports that New Jersey currently requires companies to notify residents upon reasonable belief that an unauthorized person accessed their data but provides for notice in the form of “contacting statewide media and posting a notice on its website” in the event of breaches affecting more than 500,000 people or costing more than $250,000. (Registration may be required to access this story.)
Sen. Wants Data Brokers To Name Clients
The head of the Senate Commerce Committee wants data brokers to disclose the names of their clients—especially those that categorize people as financially vulnerable or by their health status, MediaPost reports. Sen. Jay Rockefeller (D-WV) wrote a letter to Acxiom, Epsilon, LexisNexis, NextMark and MEDbase 200 asking that they name all of their clients for the last five years. Rockefeller’s concerns include that customers are being treated unfairly as a result of the personal data stored on them. He recently said he’s “revolted” by reports that brokers sell such lists as “genetic disease sufferers.”
Legislators Considering Regulating Biometrics
Florida lawmakers are considering legislation “to sharply regulate the use of fingerprint, palm print, iris scans and other biometric identification systems,” Reuters reports. The legislators are examining the issue in the wake of outrage from parents who learned last year that “students' eyes were being scanned as a condition of boarding school buses in central Florida's Polk County School District.” The Florida Senate Education Committee is reviewing a bill “that would require school districts choosing to use biometrics to establish strict policies on the public disclosure, use and maintenance of the stored data, and require parents to choose to participate in the program before their children's data is taken,” the report states.
CA AG To Release Best Practices for DNT Compliance
California Attorney General (AG) Kamala Harris is planning to soon release final best practice guidelines for compliance with California’s new Do-Not-Track (DNT) law, MediaPost News reports. AB 370 amends California’s privacy statute by requiring some web companies to disclose how they respond to DNT requests and state in their privacy policies whether third parties have access to tracking data. “Say what you do, and do what you say,” is the bottom line, said Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, the AG’s director of privacy education and policy. Editor’s Note: For more on complying with the new law, see The Privacy Advisor exclusive, “How Should I Respond to California’s Do-Not-Track Requirements?”
Lawmakers Optimistic Data Privacy Law Will Pass; PCI DSS "Remains Solid"
While SC Magazine reports on the current state of global data breach legislation, The Hill reports some U.S. lawmakers are optimistic that a data privacy law will pass this year. Rep. Joe Barton (R-TX) said, “It’s one of the few issues in the next 10 months that the House and Senate can work with the president on … I’ll go out on a limb here and predict that we’ll actually do that.” Meanwhile, in an interview with Computerworld, the Payment Card Industry Security Standards Council's Bob Russo said the standards are solid, and the Independent Community Bankers of America said at a hearing Monday that retailers should ultimately pay for a breach when hit by one. In healthcare, a recent study revealed that breaches cost healthcare providers $1.6 billion per year.
What the Target Incident Means for the SEC and Cybersecurity
“With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention,” write Jenner & Block’s Mary Ellen Callahan, CIPP/US, and Elaine Wolff. In this post for Privacy Perspectives, Callahan and Wolff look into the SEC’s guidance on cybersecurity, including recent comments by the agency that “underscore the need to disclose costs associated with any preventative or remedial measures that may have a material effect on a company’s results of operations, liquidity and financial condition.” The Target incident, they point out, “highlights some of the limitations in the SEC guidance.” Editor’s Note: Callahan and Wolff will speak as part of a panel discussion on the SEC and cybersecurity at the IAPP Global Privacy Summit, March 5-7, in Washington, DC.
State AGs as Privacy Regulators—Q & A with Maryland AG Doug Gansler
In this Q&A exclusive for The Privacy Advisor, Divonne Smoyer, CIPP/US, speaks with Maryland AG Doug Gansler, who has been at the forefront of privacy protection efforts by state attorneys general. In 2013, as president of the National Association of Attorneys General, Gansler's focus was "Privacy in the Digital Age." He tells Smoyer, "State attorneys general have long been champions of consumers' privacy in the physical marketplace, where breaches of privacy are more easily contained," explaining, "if a company improperly disposes of a file with sensitive personal information a consumer shared, it may only be seen by a few people. In the Digital Age, however, the risks of sharing sensitive personal information are far greater." Editor’s Note: Smoyer, and Aaron Lancaster, CIPP/US, wrote about the role of the AG in privacy enforcement in a recent post for Privacy Perspectives.
As DOT Pushes For Connected Cars, Senators Want Privacy Considered
While the Department of Transportation (DOT) is pushing for a mandate on connected cars before President Barack Obama leaves office, there are a number of privacy and security concerns that need to be ironed out, Politico reports. Vehicle-to-vehicle technology could eventually see driverless cars on the road that “virtually never crash,” said DOT Secretary Anthony Foxx. But the Alliance of Automobile Manufacturers’ concerns about privacy are shared by Senate Commerce Chairman Jay Rockefeller (D-WV), who applauds the potentially life-saving features of the technology but worries about driver privacy. Reps. Diana DeGette (D-CO) and Joe Barton (R-TX) have also voiced concerns about privacy. Editor’s Note: Future of Privacy Forum’s Joshua Harris wrote about the issue of privacy and connected cars in a recent post for Privacy Perspectives.
Courts Tackle Privacy of Delivered Texts, Voicemails
Courthouse News Service reports the Oklahoma Court of Criminal Appeals has found that senders of text messages have no expectation of privacy once the text has been delivered. Judge Clancy Smith wrote for the five-judge panel, “This is similar to mailing a letter; there is no expectation of privacy once the letter is delivered. It is like leaving a voicemail message, having the recipient receive and play the message and then claiming the message is private.” Meanwhile, Law360 reports that U.S. Magistrate Judge Nathanael M. Cousins has denied a motion to dismiss a case claiming that InterContinental Hotels Group PLC illegally recorded consumers’ phone calls to its reservation hotline, saying the plaintiffs properly stated a claim under California’s Invasion of Privacy Act.
HIPAA Rule To Allow Direct Access to Lab Data; Papers Discuss Telehealth
The Department of Health and Human Services recently released a final rule amending the Clinical Laboratory Improvement Amendments and the Health Insurance Portability and Accountability Act (HIPAA) giving patients the right to directly access their lab data, The National Law Review reports. As a result, HIPAA-covered laboratories must provide patients with such access within 30 days. Meanwhile, a new report discusses the legal and liability issues of mobile health applications, predicting increased regulatory roles for the Food and Drug Administration and the Federal Trade Commission over health apps. The Center for Democracy & Technology’s Joseph Lorenzo Hall and Deven McGraw write, “For telehealth to succeed, privacy and security risks must be addressed.”
Judge: Pedophile Investigators Can Use Metadata
A federal judge has ruled that investigators may use metadata to track sources of inappropriate photos of children, Houston Chronicle reports. In his order, U.S. District Judge Gregg Costa wrote the metadata embedded in a photo of a four-year-old girl shared online solved the "needle-in-the-haystack problem" investigators face. The perpetrator’s attorney had argued phones retrieve GPS coordinates without notifying users, so “although the image was contraband, the legitimate expectation of privacy as to location and identity is not rendered unreasonable.” Costa disagreed, writing, "He gave up his right to privacy in that image once he uploaded it to the Internet … There is no basis for divvying up the image … into portions that are now public and portions in which he retains a privacy interest."
Opinion: Employee PI Decision Noteworthy
In a feature for Canadian Employment Law Today, Meghan Cowan examines a recent decision by the Office of the Alberta Information and Privacy Commissioner on the collection, use and disclosure of employees’ personal information. Cowan suggests the December decision, which stems from a complaint an employee filed under the Personal Information Protection Act (PIPA), “provides a noteworthy lesson for employers when managing sensitive employee medical information.” The information in question related to medical leave and disability benefits, the report states, meeting the definition of personal employee information under PIPA. “This decision is significant not only for delineating the consent and disclosure requirements around employee medical information in Alberta, but for privacy legislation in other Canadian jurisdictions,” Cowan writes.
Takeaways from the First Cookie Consent Fines
As Deadline Approaches, APPs Continue To Make Headlines
With the 13 Australian Privacy Principles (APPs) set to replace the Information Privacy Principles and National Privacy Principles in March, many articles are offering tips on what organisations should be doing to prepare. In a report for The Guardian, Paul Farrell details how the new laws will work, and in her feature for The Sydney Morning Herald, Sylvia Pennington writes that those organisations that don’t take “reasonable steps” to comply “face the prospect of a big stick as the Office of the Australian Information Commissioner will have greater powers to investigate and the ability to impose penalties of up to $1.7 million for those found to be in breach.” Pennington highlights seven tips for organisations preparing for the APPs. Meanwhile, Australasian communications firm SenateSHJ predicts privacy will be one of the top issues and trends for 2014.
If you want to comment on this post, you need to login.