Senators in Florida and Illinois are proposing bills to limit surveillance and police access to data; the Texas Court of Appeals has expanded cellphone privacy rights, and the Washington State Supreme Court has ruled citizens have the right to privacy in the text messages sent from their mobile devices. Meanwhile, the U.S. government has entered an agreement with Japan allowing the countries to share fingerprints of suspected terrorists to be matched against each other’s databases, and the U.S. Department of Justice is asking the Foreign Intelligence Surveillance Court for longer retention periods for certain data. Read about these developments and more in this week’s Privacy Tracker legislative roundup.

Latest News

Japan and U.S. To Share Fingerprint Data
Japan's Cabinet has approved a bill designed to implement the recently signed Agreement on Preventing and Combating Serious Crime with the U.S., reports Kyodo News International. If passed, the bill will speed up the sharing fingerprint data on suspected terrorists and people engaged in serious crimes, which now must be routed through Interpol. Under the agreement, each country will be able to send a suspected criminal’s fingerprints to the other to see if there are matches in its database.

Colorado Bill Aims To Protect SSNs
Colorado’s HB 14-1141 is headed to the house after being passed by the State, Veterans and Military Affairs Committee. The bill, sponsored by Rep. Don Coram (R- District 58), would prohibit state and local government entities from requiring unpaid board members to disclose their Social Security numbers, reports The Watch.

Florida Sen. Proposes Limits on Prescription Drug Database Access
Florida Sen. Aaron Bean (R-Fernandina Beach) has proposed SB 862, which would require law enforcement to get a court order to access information in the state’s prescription drug database, reports The Daytona Beach News-Journal. Police say the database has helped curb prescription drug abuse, and a judge recently dismissed a case challenging investigators’ access to the data, but others in the state say citizens need more privacy protections. Bean says there needs to be a balance between privacy and law enforcement, adding, “The government already monitors our phone calls; they read our e-mail. Does the government have to be in our medicine cabinets, too? I don’t think they do.”

Illinois House Committee Endorses Student Privacy Bill
HB 4558, which would require that public preK-12 schools get written parental consent prior to sharing student data with outside individuals or entities, heads back to the house for consideration after gaining the support of the Elementary & Secondary Education Committee, reports The Herald-Review. The bill’s sponsor, Rep. Scott Drury (D-Highwood), points to education data nonprofit inBloom as an example of the need for the law. “Illinois is allowing your student’s data to go to a hub that’s called inBloom, along with two other states that are allowing it,” Drury said, adding, “From inBloom, third-party vendors can buy that data and target your kid by Social Security number or by name.” InBloom has released a statement saying it “will never sell student or customer data.”

Illinois Senate Considering Cellphone Tracking Limits
The Illinois Senate is now considering legislation to require authorities to obtain a search warrant prior to using cellphone geolocation technology to track individuals in most circumstances, reports The Chicago Sun-Times. Sen. Daniel Biss (D-Evanston) says his bill aims to protect privacy, noting, “If you envision a world where there’s no gates around what can be done with our information that comes from a cellphone … that’s a picture of a world that nobody wants to live in.” This is Bliss’s second attempt, and with the new iteration, he has gained the support of Deputy Chief of Narcotics for the Cook County State’s Attorney Office Patrick Coughlin, who testified against his first bill. “Our biggest objection was that we needed to have probable cause for any location information, including historical information—where someone was a week ago,” which Coughlin said could hamper investigations.

New Mexico House Passes Breach Notification Bill
The New Mexico House has passed an amended version of HB 224, which would require companies to notify customers of a data breach within 45 days of discovery—as opposed to the 10 days originally proposed, reports Bloomberg BNA. The bill also includes requirements for notifying the state attorney general and consumer reporting agencies within 14 days and has a risk-of-harm threshold for notifications as well as payment card breach provisions.

Texas Court Expands Privacy Rights
American-Statesman reports
the Texas Court of Criminal Appeals has expanded cellphone privacy rights in its ruling that police improperly searched a Huntsville student’s cellphone without a warrant. The phone was being held in a jail property room, and while prosecutors claimed officials have a right to search inmates’ items with probable cause, the court said in its decision, “A cellphone is unlike other containers as it can receive, store and transmit an almost unlimited amount of private information,” adding, “The potential for invasion of privacy, identity theft or, at a minimum, public embarrassment, is enormous.” The one dissenter in the nine-judge panel wrote in his opinion that because the defendant failed to prove an expectation of privacy because he was not in possession of the phone and knew it was in the hands of the police. “The fact that cellphones potentially contain vast amounts of private data, by itself, does not automatically result in a finding of a reasonable expectation of privacy in every case,” he said.

Utah Considers Expanding DNA Collection Practices
The Utah Senate Judiciary, Law Enforcement and Criminal Justice Committee has approved a bill that would allow law enforcement to collect DNA samples from those convicted of felonies at the time of booking. Rep. Steve Eliason (R-Sandy), who proposed HB 212, says DNA testing helps “law enforcement know much sooner who they have in custody and how they should handle and treat them.” However, Deseret News reports, the Utah Association of Criminal Defense Lawyers says the bill violates the rights of innocent people.


DoJ Asks FISC for Increase in Retention Limits
The Department of Justice has asked the Foreign Intelligence Surveillance Court for a term limit extension for how long it can retain telephone metadata beyond the current five years, citing civil suits regarding the data, IDG News Service reports. In a filing made public on Wednesday, the DoJ wrote, “A party may be exposed to a range of sanctions not only for violating a preservation order, but also for failing to produce relevant evidence when ordered to do so because it destroyed information that it had a duty to preserve.” The American Civil Liberties Union, Sen. Rand Paul (R-KY) and the First Unitarian Church of Los Angeles have filed civil suits challenging the phone metadata collection program.
Full Story 

AG Holder Calls for National Breach Law
Attorney General Eric Holder has called on Congress to enact federal data breach protection legislation, CNN reports. “A strong, national standard for quickly alerting consumers whose information may be compromised ... would empower the American people to protect themselves if they are at risk of identity theft,” he said. “It would enable law enforcement to better investigate these crimes—and hold compromised entities accountable when they fail to keep sensitive information safe." In response to claims this would overwhelm law enforcement, Holder said legislation should have exceptions for small breaches. Meanwhile, Bloomberg is reporting the hackers who compromised Neiman Marcus are almost definitely separate from those who attacked Target, and the number of cards affected is fewer than initially reported: a maximum of 350,000.
Full Story

Judges: Users Have Right to Text Message Privacy
The Washington State Supreme Court has ruled citizens have the right to privacy in the text messages sent from their mobile devices, the Associated Press reports. In two 5-4 decisions, justices overturned drug convictions that hinged on law enforcement access to text messages without warrants. Justice Steven Gonzalez wrote in one of the cases, “Text messages can encompass the same intimate subjects as phone calls, sealed letters and other traditional forms of communication that have historically been strongly protected under Washington law.” The Electronic Frontier Foundation’s Hanni Fakhoury said, “People have a right to have those messages delivered without fear of government intrusion or interception, and if the government wants to intrude of intercept them, they have to get a warrant or wiretap to do so.”
Full Story

HIPAA Changes Mean Tightening Vendor Relationships
With the changes to the HIPAA Privacy and Security Rules, the responsibilities and relationships between covered entities and their vendors have moved to the forefront of information security management. Particularly, renewed emphasis has been placed on vendor security management and the responsibility that covered entities bear on performing appropriate due diligence. In this exclusive for The Privacy Advisor, David Holtzman, CIPP/G, and Erin McMillan drill down on how to comply with the changes. Editor’s Note: Holtzman will speak at next week’s IAPP Global Privacy Summit.
Full Story


Court Grants Plaintiffs Anonymity in Medical Marihuana Case
The Federal Court of Canada has agreed that denying plaintiffs anonymity in a court proceeding “would disclose the very information they seek to protect and exacerbate the damage and/or risk of harm that has already been caused by Health Canada's mailing that identified them” as taking part in the Medical Marihuana Access Program, Canada NewsWire reports. Health Canada had argued public opinion on marihuana use is now “more accepting,” the report states, but the court rejected that argument, stating, “Disclosing their identities discloses that a course of treatment has been prescribed by them by a medical doctor and that they suffer from serious health conditions and symptoms.”
Full Story

Series Considers Why Police Are Not Subject to FOIP
The Regina Leader-Post examines why police are not subject to Saskatchewan’s information access and privacy laws, plans to review the act and what the process to change the law might involve. “Police chiefs in both Regina and Saskatoon have expressed concern that the Freedom of Information and Privacy (FOIP) Act would put police work and sensitive information at risk,” the report states, noting the province’s former privacy commissioner, Gary Dickson, disagrees. “Being subject to FOIP doesn't mean that a public body loses all control and all of the records can go out the door,” he said.
Full Story


The CNIL Is Making Its Mark
With an uptick in inspections, 43 formal compliance notices, its president named the new chair of the Article 29 Working Party and a record fine against Google for noncompliance with the French Data Protection Act, the French data protection authority, the CNIL, is asserting itself in the international data protection scene. In this Privacy Tracker post, Olivier Proust of Field Fisher Waterhouse offers concrete examples of the CNIL’s growth, resourcefulness and experience, noting “companies should pay close attention to the actions of the CNIL as it becomes a more powerful authority in France and within the European Union.” In a separate report, Proust looks at concerns regarding privacy and France’s new law on real-time geolocation.
Full Story


Australian Privacy Principles Finalized, Effective March 12
The final iteration of the Australian Privacy Principles (APPs) has been issued by the Office of the Australian Information Commissioner following public consultation, Computerworld Australia reports. Public and private organizations must adhere to the APPs when they go into effect on March 12 along with the Privacy Amendment (Enhancing Privacy Protection) Bill 2012, which gives Australian Privacy Commissioner Timothy Pilgrim a mandate to seek civil penalties of up to $340,000 for individuals and $1.7 million for businesses in cases of serious beach incidents. Pilgrim said, “Most of the requirements contained in the APPs are not new, and business and government should be ready to hit the ground running come March 12.”
Full Story

Written By

Emily Leach, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»