In this Privacy Tracker weekly legislative roundup, read about the prospects of German advocacy groups getting the right to sue businesses, the status of the Philippines’ cybercrime law and proposals in the U.S. pushing for less data collection and more consumer protections. The Utah attorney general has stopped using administrative subpoenas for cellphone and Internet data, saying “writing yourself a note to go after that stuff without any check is too dangerous,” while the Senate looks at a bill that would mean law enforcement needs a judge’s order as well. Also, Orin Kerr has published an article supposing what a communication privacy act might look like if the U.S. scrapped ECPA and started from scratch, and there’s a handy interactive map outlining the status of social media privacy laws throughout the U.S.
German Advocacies To Get Right To Sue Businesses for Breach of Data Protection Law
Hunton & Williams’ Privacy and Information Security Law Blog reports that the German federal minister of justice and consumer protection plans to introduce a draft law that would give consumer rights organizations the ability to sue businesses for breaches of the country’s data protection law. The law would mean a “fundamental change in how German data protection law is enforced,” the report states, adding, “Currently, only the affected individuals as well as Germany’s criminal prosecutors and data protection authorities have legal standing to sue businesses for breaches of data protection law.”
Filipino Supreme Court Delays Announcement on Cybercrime Law
The spokesperson for the Supreme Court of the Philippines says the court is “not yet ready to release” its decision on the controversial Cybercrime Prevention Act but will do so this week, reports GMA News. Several petitions have been filed against multiple provisions in the law, many of which claim the act violates the people’s right to free speech. The Philippine Internet Freedom Alliance says the law would amount to “mass surveillance” and notes one section involving “‘real-time collection of traffic data’ violates the right to privacy in communication as upheld by the United Nations General Assembly in its resolution ‘Right to Privacy in the Digital Age.’”
U.S. Bill Would Create Smartphone “Kill Switch”
Sens. Amy Klobuchar (D-MN), Barbara Mikulski (D-MD), Richard Blumenthal (D-CT) and Mazie Hirono (D-HI) have introduced the Smartphone Theft Prevention Act, which would require every smartphone sold in the U.S. to have a kill switch that can be activated remotely, reports International Business Times. The bill aims to prevent mobile phone theft and is similar to one proposed in California earier this month. While many support the bill, others say criminalizing tampering with mobile device identifiers is a better option—legislation that was reintroduced in May of 2013 by Sen. Chuck Schumer (D-NY).
Kerr’s “Thought Experiment” on Future U.S. Communication Privacy Laws
Orin Kerr has published an article offering a “thought experiment about what might happen if Congress were to repeal ECPA and enact a new privacy statute to replace it,” he writes for The Washington Post. The Next Generation Communications Privacy Act, 162 U. Pa. L. Rev. 373 (2014), has just been published. The article “contends that a next generation privacy act should contain four features,” including imposing the “same requirement on access to all contents” and “minimization rules on all accessed content.”
Interactive Map of U.S. State Social Media Laws
Check out this handy map from HR.BLR.com. It shows which states have social media privacy laws, and where others are in the process, if at all.
Questions Arise Over Arizona Drone Bill
Rep. Bob Thorpe (R-Flagstaff) has introduced legislation that would make it illegal to use drones to observe individuals or private property without permission; however, there are questions over what the bill would mean for law enforcement and whether it makes sense with current trespassing laws. Verde Independent reports that Pima County Attorney Barbara LaWall has concerns with the provision preventing police from using drones for surveillance and sees problems with treating air space as personal property. Thorpe says while the bill may need revision, he believes surveillance of an individual or property should require a warrant.
California Utilities Commission Votes Not To Regulate Apps
The California Public Utility Commission voted 3-2 that it lacks jurisdiction to regulate the privacy practices of app developers and wireless communications providers, reports TechWire. The Consumer Federation of California, The Utility Reform Network and Privacy Rights Clearinghouse asked the commission to review developers’ and providers’ privacy practices and develop standards for the industries based on concerns over their handling of personal data, but “The petition does not provide clear document of gaps in existing privacy laws and regulations or examples of actual instances of harm from privacy violations by telecommunications corporations” according to the commission’s decision.
Florida Sen. Introduces Social Media, Texting Privacy Bills
Florida Sen. Jeff Clemens (D-Lake Worth) has filed bills to prohibit employers’ access to employee social media accounts and to add texting to the current do-not-call list, reports WLRN. CB/SB 450 would prohibit telephone solicitors “from transmitting certain text messages to a consumer if the consumer is on the ‘no sales solicitation calls’ list.” SB 198 would prohibit employers from requiring access to personal social media accounts of employees or perspective employees.
Maryland Bill Would Cut Off NSA from Utilities
Del. Michael D. Smigiel Sr. (R-Cecil County) is the main sponsor of legislation in introduced in the Maryland General Assembly that would require state and local officials to refuse to cooperate with the National Security Agency (NSA) in ”a wide variety of ways if it continues to collect bulk electronic data without specific warrants,” reports The Baltimore Sun. The Fourth Amendment Protection Act would permanently oust officials who violate the law from their posts. "The NSA is nothing but a tool and we need to make sure the tool is sharpened and pointed in the right direction," said Smigiel. But U.S. Rep. C. A. Dutch Ruppersberger (D-MD) has called the bill "unnecessarily punitive and ill-informed."
Missouri Senate Passes Workers’ Comp Database
The Missouri Senate has passed SB 536, which would create an online database of workers' compensation claims, reports the San Francisco Chronicle. Businesses could provide job applicants’ names and Social Security numbers to find out the date and status of their workers’ compensation claims. Supporters say the bill would help businesses control workers' compensation costs, the report states, but Gov. Jay Nixon last year vetoed a similar bill, citing privacy concerns.
Oklahoma House Passes Social Media Bill
The Oklahoma House has passed Bill 2372, which would prohibit employers from requesting login information or “other means of accessing” employees’ or prospective employees’ social media accounts, reports The Oklahoman. It would also allow employees and potential employees to sue employers who violate the law for $500 per violation or actual damages plus court costs and attorneys’ fees. The bill now heads to the Senate.
Oregon Legislature and Transit System Work on Privacy Bill
In anticipation of a new electronic fare collection system, regional transit agency TriMet is working with the Oregon legislature to protect riders’ privacy. The Portland Tribune reports that HB 4086 would restrict the amount of personal information that can be released from the systems. Currently, TriMet would have to release personal information about riders upon request, but HB 4086 would amend the public records laws to protect some personally identifiable information. The House Judiciary Committee unanimously approved the bill, and it now heads to the House floor.
Opinion: Tennessee Victims’ Privacy Bill Could Have Negative Ramifications
A bill aiming to protect the privacy of victims of sexual assault may also end up stifling media coverage of crimes and “could be used to prevent defense attorneys from discussing evidence with their clients,” according to an op-ed in The Tennessean. SB 2254 would prohibit public officials from disclosing “any portion of a report, paper, picture, photograph, video, court file or other document which tends to identify such alleged victim.”
Utah AG Gives Up Administrative Subpoenas
Utah Attorney General Sean Reyes has announced that his office will no longer use administrative subpoenas, which allow investigators to access some Internet and cellphone records without a warrant, reports the Associated Press. "The wholesale writing yourself a note to go after that stuff without any check is too dangerous, and the potential for abuse becomes too dangerous," said Reyes. Meanwhile, the Utah Senate Judiciary Committee unanimously passed a bill that would require all law enforcement to submit subpoenas to the same judicial review, as opposed to allowing prosecutors to sign subpoenas for certain cellphone and Internet records.
Virginia Delays Police Data Collection Bill
A Virginia Senate General Laws and Technology Committee has delayed taking action on SB 670, which would limit law enforcement’s use of technology to collect and store personal information, reports The Virginian-Pilot. Sen. Chap Petersen (D-Fairfax), the bill’s sponsor, asked for the delay to allow more time to study the issue. However, HB 17, which would require a warrant to use cell tower tracking technology, has gotten more traction, according to the report.
Virginia Lawmakers Form Privacy Protection Caucus
A bipartisan group of lawmakers in the Virginia General Assembly has created the Personal Privacy Protection Caucus in order to “refine the law to prevent state and local governments from large-scale gathering and storage of personal data,” reports WVTF. The caucus plans to consult law enforcement and craft new legislation, saying it would like to “strike the right balance between public safety and Fourth Amendment protections.”
West Virginia Senate Passes Guidelines for Student Data Collection
The West Virginia Senate has passed SB 420, which lays out guidelines for the state’s student database, the P-20W Longitudinal Data System. Charleston Daily Mail reports the system has been collecting data going back to the 1980s, and confidential information such as Social Security numbers, e-mail addresses, religious affiliation and firearm ownership, among other information, are currently exempt from collection. “If we don't pass this bill today, the Longitudinal Data System moves forward without the privacy protections the chairman of education has so judiciously helped us put in," said Sen. Clark Barnes (R-Randolph).
Wisconsin Assembly Passes Education Privacy Bill
The Wisconsin Assembly's Education Committee has passed a bill that would impose restrictions on the state’s Department of Public Instruction and any private entity that collects student data, reports the Associated Press.
Harm Threshold Hard To Meet; Supreme Court May Soon Clarify Class-Action Questions
In an exclusive for The Privacy Advisor, Dana Post of Freshfields Bruckhaus Deringer writes about the difficulty plaintiffs face in proving “future harm” after a data breach. “Where actual harm is sufficiently alleged—such as identify theft or fraudulent charges—a claim is more likely to proceed,” Post writes. Meanwhile, a Kansas federal judge recently dismissed two proposed class-actions filed over a breach at Nationwide Mutual Insurance Co., stating the plaintiffs couldn’t prove harm. Given the class-actions filed following Target’s recent breach, there is an increased focus on class certification, writes Amy Cadle Hocevar of Squire Sanders, adding the Supreme Court may soon provide guidance on who can and cannot comprise a class member.
Review: Transborder Data Flows and Data Privacy Law Is "Must-Have"
“Few people personify the field they work in as much as Christopher Kuner. As a lawyer, European-American, academic and professor, and longtime leader of the ICC, Kuner straddles the fault lines of the privacy world with ease,” IAPP Vice President of Research and Education Omer Tene writes for The Privacy Advisor in his review of Kuner’s latest work, Transborder Data Flows and Data Privacy Law. Tene examines the wealth of information included in Kuner’s book, suggesting it may “constitute one of the building blocks for a new legal edifice being designed and erected these very days, a regulatory model for a technologically borderless world.” Editor's Note: Kuner shares some thoughts from his book in this post for Privacy Perspectives.
"The Data Broker Industry Has for Too Long Operated in the Shadows"
Sens. Jay Rockefeller (D-WV) and Ed Markey (D-MA) have introduced legislation that would require data brokers to be transparent about their data collection practices and provide consumers with opt-outs and would give the Federal Trade Commission civil penalty authority to enforce it, Broadcasting & Cable reports. The Data Broker Accountability and Transparency Act of 2014 (DATA Act) would also provide consumers with a means to correct data collected on them and prohibit brokers from being deceptive about their data collection. Markey said, “The data broker industry has for too long operated in the shadows, compiling dossiers on millions of Americans,” adding, “It is time to shine a light on this industry.” Last December, Rockefeller held a hearing and published a report on the industry.
FTC Announces Settlement Over Safe Harbor Claims
The Federal Trade Commission (FTC) has settled with children’s online gaming company Fantage.com after it “falsely claimed to be a certified participant” in the EU-U.S. Safe Harbor agreement, The Hill reports. In its settlement announcement Tuesday, the FTC noted the company had let its Safe Harbor certification lapse. “This does not necessarily mean that the company committed any substantive violations of the privacy principles of the Safe Harbor framework or other privacy laws,” the FTC said. The proposed settlement prohibits the site “from making similar false claims in the future,” the report states. The FTC is taking “a more proactive look at this program in terms of enforcement,” FTC Chairwoman Edith Ramirez said at an event this week.
Warrantless Searches of Drug Database Blocked, Judge Rules
A federal judge has ruled that the federal law enforcement’s warrantless searches of a state’s prescription drug database violate the Fourth Amendment, Reuters reports. The Oregon Prescription Drug Monitoring Program was set up in 2009 to help pharmacists and doctors track certain prescription drugs covered by the Controlled Substances Act. The state requires law enforcement to obtain a warrant prior to access, but the U.S. Drug Enforcement Agency had argued federal law allowed it access to the data under an “administrative subpoena.” U.S. District Judge Ancer Haggerty said, “It is more than reasonable for patients to believe that law enforcement agencies will not have unfettered access to their records.”
MeetMe Case Asks Important Questions About Notice
Earlier this month, San Francisco City Attorney Dennis Herrera filed a complaint in California state court against MeetMe, Inc., alleging the app fails to inform users how it uses their geolocation data. Stephen Satterfield writes for Privacy Tracker that the case “raises the important question of whether failure to adequately disclose how information is shared can be a violation of California’s Unfair Competition Law” and, more broadly, “what it means to provide clear notice in the mobile environment and how, if it all, the answer changes when the user is a minor.” (IAPP member login required.)
Revenge Porn, Copyrights and the Data We Own
Last week, The Atlantic Monthly’s Amanda Levendowski wrote about revenge porn and copyright law. There are laws that can be used by victims, but they prosecute those who submit such material, not the websites that host it, and creating new laws, she cautions, though well-intentioned, could produce overly broad ones such as the Computer Fraud and Abuse Act. Instead, Levendowski points out that victims—without the aid of a lawyer—have the power to compel websites to take down the images because the victim created the photo and thus has a copyright on the image. This installment for Privacy Perspectives looks into these issues and asks whether, instead of more laws, the copyright concept could be one possible avenue to explore further to help empower users, without stifling free speech.
Two-Decade Battle Ends with Supreme Court Ruling
Elizabeth Bernard’s 23-year battle to keep the Canada Revenue Agency (CRA), her employer, from providing public service unions with her home address and phone number has ended with the Supreme Court deciding “providing home contact information didn’t breach her privacy rights,” the Ottawa Citizen reports. The ruling states, “In our view, the compelled disclosure of home contact information in order to allow a union to carry out its representational obligations to all bargaining unit members does not engage Ms. Bernard’s freedom not to associate with the union.” The court also determined that disclosing home contact information “didn’t breach the Privacy Act because the union’s use of it was ‘consistent’ with the employment reasons that CRA collected the information for in the first place,” the report states.
Commissioner: Gov't Should Overhaul Laws
SC Magazine reports on Interim Privacy Commissioner Chantal Bernier’s recent call for the government to overhaul Canada’s privacy legislation, citing her January report on the changing context of privacy protection. “Intelligence activities are now turned towards individuals dispersed within the general population," Bernier’s report states, recommending such changes for the government as using privacy impact assessments for new programs and demonstrating the need for any personal information collected. In a recent Privacy Perspectives post, Bernier wrote that Canadians “can expect to see a plethora of challenging new issues flowing from the intersection of technology and privacy.”
BC May Give Police More Investigative Powers
A bill introduced to the BC legislature on Thursday “would allow police to get a court order forcing someone to hand over a missing person’s records,” The Vancouver Sun reports. If approved, the bill would also allow police to seek court orders “to enter a private home or other location where they believe a minor, vulnerable person or person at risk is,” and in some emergencies, police could “go ahead without waiting for a court order.” The BC Civil Liberties Association’s Micheal Vonn questioned, “What will happen with that information once it’s acquired? We have some concerns, even at this preliminary stage, that the legislation allows data that is collected to be used in criminal proceedings.”
EU Says EU-U.S. Trade Deal Should Not Pass Without U.S. Privacy Reforms
The LIBE Committee approved a report Wednesday stating the European Parliament should not agree to the EU-U.S. trade deal, the TTIP agreement, unless it fully respects EU citizens’ data privacy, Help Net Security reports. The report, which passed the committee by a 33-7 vote, condemns the “vast, systemic, blanket collection of personal data of innocent people, often comprising intimate personal information.” The committee also “voted against calling for asylum protection for former U.S. intelligence agency contractor and whistleblower Edward Snowden,” EUObserver reports. In the U.S., the Privacy and Civil Liberties Oversight Board has testified to a Senate committee that the NSA's phone data collection is unlawful. In a recent interview, EDPS Peter Hustinx discussed NSA surveillance and the forthcoming reforms of the data protection regulation. Meanwhile, the European Agency for Fundamental Rights has released its official agenda for the EU, which includes recommendations on the EU data protection framework.
How To Prepare For Those New Laws
With the deadline to comply with Australia’s new data privacy laws fast approaching, Minter Ellison’s Tarryn Ryan and Veronica Scott examine one of the key features of the Australian Privacy Principles (APPS)—effectively legislating for the concept of Privacy by Design—in this exclusive for The Privacy Advisor. In a related story, CIO offers tips on how to best comply, noting the new legislation will allow the privacy commissioner to seek penalties—up to $340,000 for individuals and $1.7 million for companies—for serious breaches. Ryan and Scott note, “For the first time there will be a stand-alone provision that requires organisations to manage personal information in an open and transparent way.” Meanwhile, speaking at a an iappANZ event, Privacy Commissioner Timothy Pilgrim, who will release guidance on the new legislation next week, “said he will not rule out putting his new enforcement powers to the test in their first 12 months, but said his office would take into account the steps an organisation had taken to achieve compliance with new privacy legislation before applying fines,” ITnews reports.
Commissioner Makes Updated Ruling on Applicant PI
PSnews reports on Australian Information Commissioner John McMillan’s updated ruling involving “the disclosure of personal information of a successful applicant in Australian Public Service (APS) recruitment processes.” McMillan ruled that other than the successful applicant's name and a statement noting the applicant was selected for promotion, “the remaining vocational assessment information was the personal information of the successful applicant,” the report states. Disclosing such information “would be unreasonable under the FOI Act and contrary to the public interest,” McMillan said, noting the prior perception that it was reasonable to disclose assessment information needed reassessment.